DDM Distributed Database Manager for SQL and ODBC. Installation and User Guide Version 5.27.xx

Transcription

1 DDM Distributed Database Manager for SQL and ODBC Installation and User Guide Version 5.27.xx

2 Communication Devices Inc. 85 Fulton St. Boonton, NJ USA Phone: Fax: Internet: Last Revision 4/2010

3 Table of Contents 1 INTRODUCTION DDM VERSIONS WHAT THIS MANUAL CONTAINS SYSTEM REQUIREMENTS README FILES CONTACT INFORMATION OVERVIEW CDI S ROLE IN NETWORK SECURITY DEVICE MANAGEMENT DATABASE ORGANIZATION INSTALLING THE DDM SQL VERSION INSTALL THE DDM SQL SOFTWARE CREATE, INSTALL, OR UPGRADE THE DDM DATABASE ON THE SQL SERVER Create New SQL Server DDM Database Create New Server DDM Database and import DDM Database Data Create/Upgrade SQL Server and Import DDM Databases Upgrade Existing SQL Server DDM Database Upgrade DDM Client Only EXECUTING THE DDM SQL PROGRAM: ACCESSING THE PROGRAM INSTALLING THE DDM ODBC VERSION INSTALLATION STEPS FOR DDM ODBC VERSION ACCESSING THE PROGRAM GETTING STARTED STARTING THE DDM PROGRAM NAVIGATING THE DDM SOFTWARE OPENING SCREEN Device View INSTALLATION AND SET UP OVERVIEW WORKING WITH GROUPS ADD A GROUP RENAME A GROUP DELETE A GROUP GROUP MODIFICATIONS UNIGUARD GROUP MODIFICATIONS PORT AUTHORITY GROUP MODIFICATIONS MULTIGUARD GROUP MODIFICATIONS REAL TIME LOG LIST

4 6.9 ENABLING THE REAL TIME LOG LIST Printing, Saving and Deleting the DDM Real Time Log Deleting items from the DDM Real Time Log DEVICES ADD A DEVICE TO A GROUP Duplicate a Device Move a Device Use the Device Wizard to add a device Modifying Device Properties Renaming a Device Deleting a Device CONFIGURING A DEVICE Device Info Screen Country Dialing Using the DDM SETTING THE NETWORK PROPERTIES OF A SPECIFIC DEVICE Network Properties, IP Configuration DDM Heartbeat Attributes DNS Attributes SNMP Attributes Network Properties (versions below 4.01) Network Properties (IP type set for external) SYSTEM OPTIONS Port Authority SAM Host Devices SAM Authentication Process Port Authority devices UniGuard devices UniGuard Clients COMMUNICATIONS SCREEN DEFINED PORTS SCREEN Port Properties - Host Port Configuration Power Port Configuration Slave Device Setting (For Port Authority Only) Programmable ESC Code REMOTE ENCRYPTORS SCREEN CLIENT ENCRYPTORS PORT AUTHORITY SAM CLIENT Device Info Screen for a Port Authority SAM Client Device, System Options for Port Authority SAM Client Encryptor Communications Screen for Port Authority SAM Client Device UNIGUARD CLIENT ENCRYPTOR AES/TDES Mode for UniGuard Client Client Encryptor pre-dialog UNIGUARD CLIENT Adding a UniGuard Client UniGuard Client Device Information Screen Network Properties for a UniGuard Client UniGuard Client, System Options Communications Screen UniGuard Client SSE CLIENT Adding an SSE Client

5 9 USERS ADD A USER User Info User Security Token Key Info Screen RSA SecurID Token Info Encryption User and ENCRYPTOR ADDING EXISTING USERS TO A GROUP DELETE A USER FROM A GROUP LISTING USERS OF A GROUP MODIFY PROPERTIES OF A USER USER LOCK LIST USER MANAGEMENT LIST SETTINGS SETUP SCREEN Modem Properties Setup Properties for UniGuard DATABASE UTILITIES DB ADMINISTRATOR LIST Enabling Automatic Services and Database Management Unlock Database Records DDM Seat Licenses DDM SQL only Add Seat Licenses to Database DDM SQL only DEVICE LICENSE Adding Device Licenses to the database RSA SECURID TOKEN ATTRIBUTES RSA Pin Length RSA Next Pin Mode RSA SECURID ENABLE FILES Add RSA SecurID Enable Files DDM LOG FILES PURGING SETUP DEFINE SNMP EVENTS SETTING UP MULTIPLE DDM POLLING MultiPoll\License File Path DDM SQL only DDM Polling Stations Adding Poll Stations SELECT GROUPS TO POLL Edit a Station Deleting a Station DDM IP DIALOUT LIST Adding a non-cdi device Edit a non-cdi Device Delete Device Adding CDI Devices to the IP Dialout ALARM ALERT LIST Enabling the Alerts feature User Properties Adding an User DISPLAY DDM REGISTRATION FORM

6 10.13 SSM SETTING DDM RADIUS SERVICE EXPORT DDM DATABASE TO XML FILE PROGRAMMING DEVICES PROGRAM MENU PROGRAMMING DEVICES OVERVIEW Program-Update Device Program-Reload Device Program Group RESET A GROUP PROGRAMMING FLASH FOR A SELECTED GROUP PROGRAMMING FLASH FOR A SELECTED DEVICE PROGRAM ALL DEVICES TELNET TO DEVICE STATUS PROGRAM DEVICE CONTACT LIST CONFIGURE THE IP CARD OF A DEVICE DDM PROGRAMMING A REMOTE SSE USING MODEM COMMUNICATIONS DDM FLASH PROGRAMMING A REMOTE SSE USING MODEM COMMUNICATIONS DISPLAYING THE DDM REAL TIME INFORMATION FOR A SELECTED DEVICE DISPLAYING THE AUDIT INFORMATION FOR A DEVICE PROGRAM GROUP FLASH DEVICES IP CARD CLEAR DEVICE REPORTING AND MAINTENANCE REPORT VIEW REPORT TEMPLATES AUDIT TRAIL MAINTENANCE Purging the Audit Trail Archive DDM ODBC Databases Purging the Audit Trail Purging the DDM Real Time Log EXIT THE REPORT SECTION AND RETURN TO THE DEVICES/USER VIEW DDM POLLING SERVICES ABOUT POLLING SERVICES EDITING A POLLING SERVICE ACCOUNT TYPES POLLING MODES Poll all devices in the database Poll by selected groups Poll by selected devices INSTALLING A POLLING SERVICE Scheduling a Service Stopping or Deleting a Polling Service TROUBLESHOOTING

7 Appendix A Cabling Appendix B Multiport Options Appendix C Audit Trail Events

8 1 INTRODUCTION The Distributed Database Manager (DDM) software products are designed to remotely manage the databases of CDI s UniGuard, Port Authority, Port Authority SAM, and SSE devices. The software products are menu-driven and easily learned. The program is designed to function using the Windows XP, operating system. Windows Server 2003 and MS/SQL 2005 are recommended for DDM SQL server installations. 1.1 DDM Versions Two versions of the DDM are available: DDM SQL and DDM ODBC. The DDM SQL version is designed to handle multiple concurrent sessions. Through the SQL Server database, a number of DDM managers can access the database simultaneously. The DDM databases are stored on the SQL Server database and are easily modified, synchronized, and updated. All information can be backed up for easy and safe restoration in the event of system failure using the SQL Server database utilities. The DDM ODBC version cannot handle multiple concurrent sessions and is meant for a single DDM connection on the concurrent machine. The DDM ODBC databases are stored on a Microsoft Access database. All information can be backed up for easy and safe restoration through the DDM ODBC Utilities. 1.2 What this Manual Contains This manual will provides installation and operation instructions for both the SQL and the ODBC versions of the DDM program. Installation and operation instructions for the Port Authority, Port Authority SAM, and SSE devices are detailed in their respective manuals. 1.3 System Requirements The DDM software requires a workstation (PC) that meets the following requirements. Memory: 1GB RAM minimum Operating System: Windows XP, Windows 2003 server Hard Drive: 100 GB minimum CD or DVD drive Access to a SQL Server

9 The program is loaded from a CD ROM Disk. A separate mini-cd disk, The Device License disk, is provided which will enable the number of devices (UniGuard, Port Authority and or SAM Units) allowed stored in the system. The number of devices that can be managed is virtually infinite, limited only by the storage capacity of the workstation. 1.4 Readme Files The program disk contains a readme file that contains the updates and related information. Please read this file before installing the software. 1.5 Contact Information If you need to contact us, please call Communication Devices Inc. at or visit us at 1-2

10 2 OVERVIEW A network is comprised of routers, firewalls, and other network elements. These elements are usually monitored by Network Operations Center (NOC) technicians. When there is a problem, the technicians must access the console port of the router or other network element to reset the device or perform other maintenance. The console port can be accessed by in-band or out-of-band communications. For security purposes, it is important to limit access to this port to authorized users, and protect the information being sent from the technician to the router or other element. 2.1 CDI s Role in Network Security CDI offers devices that provide both authentication and encryption functions or authentication only. These devices provide secure out-of-band communication between the technicians and network elements. Out-of-band communication uses a secondary path for communication providing more security and enabling devices to be contacted even when there is a network problem Before accessing a router, a technician connects to a CDI UniGuard or Port Authority device and authenticates. Each CDI device maintains a database of authorized users and authentication information. Once the user has successfully authenticated, he/she is permitted to access the network element. All information is encrypted. On the NOC side, a UniGuard device can be set to encryption mode only and encrypt the information being sent by the technician. Figure 2-1 Example of Secure Out-of-Band Management for Routers 2-1

11 In certain situations, the encryption of data is not required. For these situations, a secure authentication modem (SAM), which operates out-of-band and provides authentication only, can be installed. 2.2 Device Management The CDI devices are managed remotely by the CDI s Distributed Database Manager (DDM) application running on a Windows PC. The number of devices managed by the DDM is limited by the resources of the PC. The DDM provides centralized management and maintains a central database of users and devices enabling devices and users to be added, deleted, or modified from one location. Each UniGuard and Port Authority device has a local database updated from the DDM database. The DDM communicates with remote devices over dial-up phone lines, serial ports, or IP connections. All communications are encrypted. 2.3 Database organization The central database maintained by the DDM is separated into groups. A group is a collection of devices that share a common user database. A group can be defined by region, company, or by some other association. A device can only belong to one group but an individual user can be assigned to multiple groups. When changes are made to the database, the changes can be sent to one device, devices of one group, or all devices. A log file is maintained by the DDM for tracking system events, such as database updates. GROUP DATABASE STRUCTURE GROUP USERS DEVICES New York Corp J. Williams H. Peterson S. Murphy M. Clarke Port Authority UniGuard1 UniGuard2 UniGuard3 Figure 2-2 Group Database Structure In this example, the Group New York Corp has four users, each having access to any of four devices. If a device is a multiport device, such as the Port Authority, a user may have access to a single port, several ports, or all ports of the Port Authority. The number of devices assigned to a group as well as the total number of groups is virtually infinite, limited only by the storage capacity of the computer running the DDM program. 2-2

12 3 INSTALLING THE DDM SQL VERSION This section provides the DDM Administrator with DDM Installation instructions for the SQL version. The SQL version should be installed if multiple concurrent sessions are necessary. To install the DDM SQL version, you must install the software and then create, upgrade, or install DDM database Install the DDM SQL software. Place the installation CD-ROM in your CD drive. After a few seconds, the Installation Guide screen is displayed. To install the DDM software, click on the Install CDI Distribution Database Manager Software link. The InstallShield Wizard, which guides you through the installation, is installed. The InstallShield Wizard starts the installation of the DDM-SQL software. Click Next to continue with the installation. 3-1

13 The Software License Agreement is displayed. After you have read it, click the appropriate radio button to accept the agreement. Click Next to continue with the installation The Customer Information screen is displayed. Enter your User name and Organization and select an installation option. The first option allows anyone who has access to this computer to use this program. The second one limits access to the user whose name appears in the User Name window. Click Next to continue the installation. During this part of the installation you will need to choose the folder in which the DDM Software is to be installed. To use the suggested folder, click Next to continue or click Change to select a different location. 3-2

14 After all the required information has been entered, the DDM Install Shield Wizard displays a summary page of the information entered. To change the information, click Edit. If no changes are required, click Install to start the installation process. A completion message is displayed when the software has been successfully installed. Click Finish to close the InstallShield Wizard. After you click Finish, the DDM Registration Form is displayed. To be eligible for covered upgrades and support, this form must be returned to CDI. You may submit the form by or print it and send it to the address listed on the form. CDI needs this information to contact you, or the current administrator with important updates that may affect the performance of the products. This is not used as a sales tool Remove the CD ROM Disk from the drive. 3-3

15 3.2 Create, Install, or Upgrade the DDM Database on the SQL Server. After the DDM program has been installed, you must then create, load, or upgrade the databases on the SQL server. Click on the appropriate option. Each option is explained below. You must logon on to the SQL Server and have administration rights. You will be asked to confirm that you have the appropriate rights to create a new or modify the SQL database before you can continue Create New SQL Server DDM Database Select the "Create New SQL Server DDM Databases from the DDM Database if you are installing the database for the first time. This means that the DDM database does not exist on the SQL Server and old DDM databases (access databases) do not need to be imported onto the SQL Server. You will be asked to confirm that you have the appropriate rights to create a new SQL database before you can continue. If the database already exists, a message indicating this is displayed. 3-4

16 3.2.2 Create New Server DDM Database and import DDM Database Data Select the "Create New SQL Server DDM Databases and Import Access DDM Database Data to the new SQL Server DDM Database only if the DDM Database does not exist on the SQL Server and you need to import old DDM Databases (access databases) onto the SQL Server. Before you start, make sure all users are disconnected from the DDM databases. Copy the databases ddmdata.mdb and ddmlog.mdb databases to another directory as a backup. The DDM installation will create the DDM databases in the SQL Server, then copy the database information from the old DDM databases to the new SQL Server DDM databases. TIP It may take as long as 15 minutes to import large DDM databases. To avoid interference from the network during this time, copy the databases to your local PC and perform the upgrade there. Point the ddmdata and ddmlog databases to this directory on your PC from the ODBC Administrator dialog in the Windows Control Panel and then continue with the upgrade Create/Upgrade SQL Server and Import DDM Databases To Create/Upgrade an SQL Server and Import Multiple Access DDM Databases into the SQL Server, click on the button labeled Create/Upgrade an SQL Server and Import Multiple Access DDM Databases into the SQL Server Upgrade Existing SQL Server DDM Database Select the " Upgrade Existing Server DDM Database option from the DDM Database Upgrade Program screen. For this to occur the DDM databases must already exist in the SQL Server. You will need to logon to the SQL Server and have administration rights to be able to create and alter databases. The DDM installation will upgrade the DDM databases in the SQL Server. 3-5

17 Enter a Username and Password that has full rights in the SQL Server Upgrade DDM Client Only Select the button labeled "Upgrade DDM Client Only" from the DDM Database Upgrade Program screen. This will only install or upgrade the DDM Client files, bypassing a SQL Server DDM database creation or upgrade process. For RSA SecurID Token type users that are RSA SecurID Token type, RSA SecurID will supply a disk with their serial numbers. 3.3 Version Control At the end of the installation, the user is given the option of implementing DDM Version Control. When version control is implemented, DDM stations can be updated to the latest production DDM software when the DDM program is started. If the DDM version is below , a query will be presented to the DDM user to update its files to the latest DDM production files. The DDM Database level in the SQL Server must be at or above version 5.26 for this to be presented to the DDM user. If Version Control is not implemented during the installation, the install files would have to be run again in order to get to the option of implementing Version Control. 3-6

18 If the user accepts this installation query, the installation will create a directory ( \\DDMInstalls\DDM52701\...) in the shared path (License File Path) with all the DDM installation files for version The DDM/SSM users must have full rights to this shared path. If this path is not defined, DDM Version Control cannot be implemented. 3.4 Executing the DDM SQL Program: Once the CDI Distributed Database Manager SQL has been successfully installed, remove the Distributed Database Manager CD ROM disk from the CD ROM. To run the CDI Database Manager application, click the Start button and then select CDI DDM Manager SQL from the program list. You may also start the application from the Finished Installation window. 3.5 Accessing the Program To access the program, the DDM user must successfully authenticate by using one of two types of SQL Server authentication: Trusted Connection or SQL Server User Name/Password. 3-7

19 Trusted Connection A Trusted Connection uses Windows authentication credentials. Enter the user name and password that you use to logon to your PC workstation. SQL Server User Name/Password The SQL Server authentication relies on the SQL server security options set up by the System Administrator. You must enter the SQL Server name to successfully logon to the DDM SQL Server. Connection Timeout: Enter the number of seconds the system will wait to connect to the SQL Server (default value is 15 seconds). 3-8

20 4 INSTALLING THE DDM ODBC VERSION This section provides the DDM Administrator with DDM instructions for the installation of the DDM Installation ODBC version. The ODBC version is selected when capability of multiple concurrent sessions is not necessary and there are a limited number of users. 4.1 Installation Steps for DDM ODBC Version Place the installation CDROM in your CD drive. After a few seconds, the Installation Guide screen is displayed. To install the DDM software, click on the Install CDI Distribution Database Manager Software link. The InstallShield Wizard guides you through the installation of the DDM-ODBC software. Click Next to continue with the installation. The Software License Agreement is displayed. After you have read it, click the appropriate radio button to accept the agreement. Click Next to continue with the installation 4-1

21 The Customer Information screen is displayed. Enter your User name and Organization and select an installation option. The first option allows anyone who has access to this computer to use this program. The second one limits access to the user whose name appears in the User Name window. Click Next to continue the installation. During this part of the installation you will need to choose the folder in which the DDM Software is to be installed. Click Next to use the suggested folder or click Change to select a different location. After all the required information has been entered, the DDM Install Shield Wizard displays a summary page of the information entered. To change the information, click Edit. If no changes are required, click Install to start the installation process. 4-2

22 A completion message is displayed when the software has been successfully installed. Click Finish to close the Install Shield Wizard. After you click Finish, the DDM Registration Form is displayed. To be eligible for covered upgrades and support, this form must be returned to CDI. You may submit the form by or print it and send it to the address listed on the form. CDI needs this information to contact you, or the current administrator with important updates that may affect the performance of the products. This is not used as a sales tool Remove the CD ROM Disk from the drive. 4.2 Accessing the Program When the program is accessed, the DDM ODBC user must successfully authenticate to enter the DDM ODBC program. Enter the same "user name" that you use to initially log on the PC. This is a security measure to insure that only valid users can access the program. 4-3

23 5 GETTING STARTED This section describes how to get started using the DDM program to manage UniGuard, Port Authority, and SAM devices. 5.1 Starting the DDM Program Start the DDM program either from the Start Menu or by clicking the DDM desktop shortcut. After you enter your username and password, the Opening screen is displayed. Figure 5-1 Opening screen, Device/User View 5.2 Navigating the DDM software The DDM software is menu-driven and easy to navigate. Dropdown menus list options. 5.3 Help A brief description of the option and links is displayed when you rollover the option with your mouse. 5-1

24 5.4 Opening Screen The options displayed in the menu bar depend on whether Device/User or Report View is selected. To switch views, click View in the Menu bar. Device/User view is the default view. It is used when adding or modifying groups, devices, or users. Report View is selected when creating or viewing reports. Please refer to section 12 for more information about Report View and reports Device View The left pane of the screen displays the Group List. The right pane displays the names and certain attributes of the devices in a selected group. Group List The Group List is displayed in the left pane. The Group List may be expanded to display all groups. The Groups displayed in the Group List will have been retrieved from the DDM Databases in the SQL Server. The Device Not Contacted List is a list of all devices in the system that have not been programmed and/or an error has occurred in the programming of a CDI device. The DDM Real Time Log List is a list of all events that happen to a device in real time. The device must have an IP card to communicate with the PC running the DDM program and the DDM Real Time Log must be enabled on the particular DDM PC. Each Group may be expanded to display information pertaining to the Groups: A Group may be compressed to display the only the Group name. Devices in the Group Client Encryptors in the Group Users in the Group User Locked List New Device Template for the Group Group Modifications 5-2

25 Devices and Attributes The right pane lists the names and attributes of devices of a group. Each field is described below: Device Name: Name given to the device when the device was added. Device Type: Type of device, such as Master Port Authority-88 with IP, UniGuard with IP, Port Authority 11SAM. Device Mode: Authentication mode of the device Standard (default) Auto Authentication/Encryption Connects to the device in an encrypted session but goes directly into the port list without a user ID/password authentication. RSA SecurID Device Allows the device to use RSA tokens for authentication. Host ID: A unique number used to identify the device in the DDM database. The serial number of the device is used as the Host ID. Program Status: Indicates whether the device can be contacted. This field will be blank if there are no problems with the device. If there was a problem programming or contacting the device, it will display a message in red. Examples: No Contact From Device: A device that has heartbeat properties configured and did not send the heartbeat I m Alive message back to the DDM. Invalid Communications: Failed to connect to the device. Error in Programming: Failed during programming of the device. Invalid System Key: The system key that is programmed into the device is different than the device record in the DDM. Invalid System Password: The system password that is programmed into the device is different than the device record in the DDM. Version: Current firmware version of the device. Phone Number: Phone number used to contact the device. IP address: IP address of device. 5-3

26 IP version: Current IP card firmware version. Def Credentials (Default Credentials): PK: Indicates that both the device s system password and system key are at default levels. P: Indicates the device s system password is at a default level. K: Indicates that the device s system key is at a default level Viewing Device Status To view the device status, right-click on the device name. The Device Properties screen will be displayed. The Device Status is displayed on the right-hand side. The Device status displays the program status of the device when the DDM attempts to connect to the device. The program status may be Idle, In use, or Alarm. Each status type is described below: Idle: The device is available to connect to the DDM In Use: The device is already connected to the DDM Alarm:: The device is in an alarm state and cannot be connected to the DDM. To clear the device status, right-click on the status and select Clear Device Status to Idle. Select Set Device Status to Alarm to put the device into an alarm state Report View Please refer to section 12 for more information about Report View and reports. 5.5 Installation and Set Up Overview An overview of the steps to install and set up the DDM program are listed below. 1. Install the DDM application on a computer running Windows. The Install Wizard will guide you through the steps. (Sections 3 and 4). 2. Create one or more groups. For each group, enter a Group name, the main device type, and the primary and secondary (optional) communication method. (Section 6) 3. Set up the device template. Any changes made to the device template will appear every time a device is added to the group. (Section 6.1) 4. Add devices or client encryptors to the group. Select the device type and enter a device name. Unless otherwise configured, the parameters in the device template will be used. (Sections 7 and 8). 5. Add users to the group. The users will be added to the database of the devices of the group. (Section 9) 5-4

27 Device Maximum number of users UniGuard 150 Port Authority Sam 22/ Port Authority Sam11 50 MultiGuard Set DDM system-wide parameters as required. These include adding device licenses, seat licenses for the DDM, and RSA licenses; assigning users as administrators; selecting the modem used to connect to CDI devices, setting up polling of devices, and other functions. (Section 10) 7. Reload (program) a single device, all devices of a group, or all devices (Section 11) 8. Create reporting templates. Switch to report view to view reports and manage reports. (Section 12). 5-5

28 6 WORKING WITH GROUPS A group is the collection of devices that can be accessed by a set of users. Groups can be defined by location, by region, or by another way that makes sense for your organization. Keep in mind that while a device may only be assigned to one group; a user may belong to multiple groups. This section describes how to do the following: Add, delete, and rename a group Make modifications to all devices of the same type View a Real Time log 6.1 Add a Group 1. In the main screen, click on Group List. Click on Group in the Menu Bar. From the dropdown list, select Add New Group. 2. On the Group Attributes screen, enter the Group Name. You may also enter a brief description. After entering the appropriate information in the Group Attributes screen, click Ok to continue. The New Device Template for Group screen displays. 6-1

29 3. Set up the Device Template for a device type. From the dropdown list, select the Device Type. Click Next to continue The Device Template establishes the default settings for the entire group. When a new device is added, the settings in the Device Template for that particular device type are used. You may later modify all settings of a device type in the Group Modifications screen. 4. Select the method for primary DDM communications and secondary DDM Communications. These settings determine the means by which the device and the DDM manager will communicate. 5. After you select the primary and secondary communications methods, the Device Template screen is displayed. 6. Click the tabs to enter device information, system options, communications settings, port options, and remote encryption. For a new or existing device, these settings may be modified in the Device Properties screen. 6-2

30 6.2 Rename a Group Double-click on a Group Name or highlight the Group name and selecting Rename Group. The Group Attributes screen is displayed. Enter the new group name and description in the information field. 6.3 Delete a Group Select Delete Group or highlight the Group and press the Delete key. You will be prompted to confirm that you want to delete the group. Click Yes to continue or No to cancel the Delete request. CAUTION: Responding "Yes" to this prompt will delete the entire group and all of its device associations. The data will be unrecoverable. 6.4 Group Modifications Group Modifications allows you to modify certain settings of all devices of a particular type in the selected group. The settings of Group Modifications will be applied to any device added to the group. 6-3

31 To display the Group Modifications screen, click on Group Modifications under the Group you wish to modify. From the Select Device Type screen, select the device type that you wish to modify or select All to modify all device types. Selecting All essentially allows modifying only those parameters that common to all device types and are listed in the Device Template screen. The parameters of the Group Modification screen differ slightly depending on the device. The parameters for each device type UniGuard, Port Authority, and MultiGuard--are listed in the following sections. For a detailed description of each parameter, please see the Devices chapter UniGuard Group Modifications For more detailed information about the UniGuard parameters, please refer to the Devices section. UNIGUARD Group Modifications Tab Parameters Description Device info System Options None User Security Level Host AT Command Access) Host Dialout Update System Password Update System Key Device Mode Host DTR/RTS loss of Signal Time (secs) First Message Delay Time Login Inactivity Time User Security Level: Establishes the User ID as either User ID only or User ID and Password as the security method when logging in to the device. Host AT Command Access: Enables the host to manage and access the device s internal modem. If full host management of the device s internal modem is necessary, this option should 6-4

32 UNIGUARD Group Modifications Tab Parameters Description be set for Enabled Transparency. Host Dialout: Enable or disable the host ability to dial out using the device s modem. Device Mode: Standard device (default) Security is enabled. Auto Authentication: device only communicates with UniGuard clients in an encrypted session. RSA SecurID ACM (act as an RSA ACM device) RSA SecurID Device (first authenticates with a valid User ID and then authenticates using RSA SecurID. Standard Device Bypass Security: Security is disabled on the device. Update System Password: The system password is used by the DDM to access and program the device. Update System Key: The default key used for all devices of this type..the system key may be generated or entered. Communications Defined Ports Remote Encryptors Modem Port Bits/Parity Modem Port Baud Rate Power Port Value Primary Defined Message Secondary Defined Message Host Connect Defined Message Extra AT Command Settings None Edit Client ID Add Encryptor ID Delete Encryptor ID Select Encryptor IDs from database Primary Defined Message: A userdefined message sent out when before the authentication process begins. Secondary Defined Message: A userdefined message sent out after the first user response/prompt has been processed. Host Connect: Only applies to UniGuard devices. A user-defined message sent out to the host port after successful user authentication. The user then connects to the host application. Select from Client Database: Displays a list of IDs of clients that are allowed to access devices that belong to this group. Group IP Filter List* Add IP Filter Edit IP Filter Delete IP Filter The IP Filter address ranges can be set for inclusion mode and exclusion mode. 6-5

33 UNIGUARD Group Modifications Tab Parameters Description Inclusion mode defines an address range that can connect to the CDI device via IP and have full access to the device after user authentication. Exclusion mode defines an address range that will have no IP access to the CDI device. Example: The IP address range with the starting address of to the ending address of is set for exclusion mode. Another IP Address range with the starting address of to the ending address of is set for inclusion mode. These IP address settings result in the following: All IP addresses from to will have no access to the specified CDI Device with the exception of IP Address , and *The Group IP Filter List is for CDI devices that have a CDI internal IP card at version 2.00 or above. 6.6 Port Authority Group Modifications For more detailed information about Port Authority parameters, please refer to the Devices chapter. PORT AUTHORITY Group Modifications Tab Parameters Description Device info screen System Options None User Security Level Update System Password Update System Key Device Mode (Type)) First Message Delay Time Inactivity Time Host DTR/RTS loss of Signal Time (secs) First Message Delay Time Login Inactivity Time User Security Level: Establishes the User ID as either User ID only or User ID and Password as the security method when logging in to the device. Update System Key: This is the default key used for all devices of this type. The system key may be generated or entered. Standard device (default) Security is enabled. 6-6

34 PORT AUTHORITY Group Modifications Tab Parameters Description Auto Authentication: device only communicates with UniGuard clients in an encrypted session. RSA SecurID ACM (act as an RSA ACM device) RSA SecurID Device (first authenticates with a valid User ID and then authenticates using RSA SecurID. Standard Device Bypass Security: Security is disabled on the device. Communications Modem Port Bits/Parity Modem Baud Rate Primary Defined Message Secondary Defined Message Send AT Command Primary Defined Message: A userdefined message sent out before the authentication process begins. Secondary Defined Message: A user-defined message sent out after the first user response/prompt has been processed. Defined Ports Remote Encryptors Control Mimicking Modem Connect Message Edit Client ID Add Client ID Delete Client ID Select Client IDs from database Displays a list of IDs of clients that are allowed to access devices that belong to this group. Group IP Filter List* Add IP Filter Edit IP Filter Delete IP Filter The IP Filter address ranges can be set for inclusion mode and exclusion mode. Inclusion mode defines an address range that can connect to the CDI device via IP and have full access to the device after user authentication. Exclusion mode defines an address range that will have no IP access to the CDI device. Example: The IP address range with the starting address of to the ending address of is set for exclusion mode. Another IP Address range with the starting address of to the ending address of is set for inclusion mode. Result of these IP address settings: All IP addresses from 6-7

35 PORT AUTHORITY Group Modifications Tab Parameters Description to will have no access to the specified CDI Device with the exception of IP Address , and *The Group IP Filter List is for CDI devices that have a CDI internal IP card at version 2.00 or above. 6.7 MultiGuard Group Modifications For more detailed information about the MultiGuard parameters, please refer to the Devices chapter. MULTIGUARD Group Modifications Tab Parameters Description Device info screen System Options None User Security Level Host AT Command Access Update System Password Device Mode (Type) Update System Key First Message Delay Time Host DTR/RTS loss of Signal Time (secs) First Message Delay Time Login Inactivity Time User Security Level: Establishes the User ID as either User ID only or User ID and Password as the security method when logging in to the device. Update System Key: The system key may be generated or entered. This is the default key used for all devices of this type. Standard device (default) Security is enabled. Auto Authentication: device only communicates with UniGuard clients in an encrypted session. RSA SecurID ACM (act as an RSA ACM device) RSA SecurID Device (first authenticates with a valid User ID and then authenticates using RSA SecurID. Standard Device Bypass Security: Security is disabled on the device. Communications Primary Messages: Primary Secondary Extra AT Command Settings Primary Defined Message: A userdefined message sent out when before the authentication process begins. Secondary Defined Message: A userdefined message sent out after the first user response/prompt has been processed. 6-8

36 MULTIGUARD Group Modifications Tab Parameters Description Defined Ports Remote Encryptors Group IP Filter List* None None Add IP Filter Edit IP Filter Delete IP Filter The IP Filter address ranges can be set for inclusion mode and exclusion mode. Inclusion mode defines an address range that can connect to the CDI device via IP and have full access to the device after user authentication. Exclusion mode defines an address range that will have no IP access to the CDI device. Example: The IP address range with the starting address of to the ending address of is set for exclusion mode. Another IP Address range with the starting address of to the ending address of is set for inclusion mode. These result in the following: All IP addresses from to will have no access to the specified CDI Device with the exception of IP Address , and The Group IP Filter List is for CDI devices that have a CDI internal IP card at version 2.00 or above. 6.8 Real Time Log List The DDM Real Time Log List is a list of all events that happen to a device in real time. The device must have an IP card to communicate with the PC running the DDM applications and the DDM Real Time Log must be enabled on the particular DDM PC. These logs can only be viewed from the Real Time Log List. The items are color-coded to indicate the severity of the real time log item. 6-9

37 REAL TIME LOG ALERT SEVERITY LEVELS SEVERITY COLOR ALERT Green INFORMATION Blue DEBUG Blue WARNING Orange EMERGENCY CRITICAL ERROR NOTICE Red Red Red Red Each entry in the log has the following information: Date/Time, Device Name, Facility, Severity, Message, and Source IP Address. 6.9 Enabling the Real Time Log List The Real Time log list must be enabled before you can view it. 1. Click on SETTINGS in the Menu bar. From the dropdown menu, select Setup. 2. In the Setup window, click the checkbox titled Enable DDM Real Time Log. 3. Modify the default DDM Real Time Log Port value if necessary. The default port is Click OK to enable the Real Time Log option and exit the Setup window. When this option has been enabled, the IP address of the DDM will appear in the title bar of the Setup window. 5. After enabling the DDM Real Time Log option and exiting the Setup window, the DDM Real Time Log listener will be activated. As logs come in, they will be validated Select DDM RealTime Log List under Group List to view the log. All new log items will be inserted in the view list in real time. and inserted into the DDM databases (DDMSysLog and DDMLog). 6-10

38 Number of log entries Printing, Saving and Deleting the DDM Real Time Log The DDM Real Time Log can be printed or saved to a file. To print or save the file, highlight any line on the DDM Real Time Log and click on the GROUP in the menu bar of the DDM window. From the list displayed, select the appropriate action--print DDM Real Time Log or Save DDM Real Time Log to file. If Save DDM Real Time Log has been selected, choose the folder in which the file is to be saved and enter the filename in the displayed Save As window. 6-11

39 6.9.2 Deleting items from the DDM Real Time Log To delete a real-time log, click Devices in the menu bar and then select Delete DDM Real Time Log. The real-time log of DDM actions will be deleted. Once deleted, it cannot be recovered. 6-12

40 7 DEVICES This section explains how to add to a device to group, remove a device from a group, and configure the properties of a specific device. For information about adding UniGuards and Port Authority devices as client encryptors, may be added to a group as client encryptors, please refer to the Client Encryptors chapter. 7.1 Add a device to a group A device may be added to group by one of the following ways: Duplicate a device Move a device from one group to another Use the Add Device Wizard Duplicate a Device Display the Device List by double-clicking the Device Leaf of the Selected Group; the device list for this group will be displayed. To duplicate a device, click on the device and drag and drop it to the new Group. From the Duplicate or Move Device screen, select Duplicate Device. When a device is duplicated, the device settings will be duplicated only. The group parameters for the device will be dependent on the group to which it is attached Move a Device To move a device from one group to another, click on the device and drag it to the new group. The Duplicate or Move Device screen will be displayed. From this screen, select Move device. When device is moved from one group to another, the device settings remain the same but the group setting for the device changes. For instance, the device will be attached to the users and client IDs attached of this group only Use the Device Wizard to add a device The Add Device Wizard guides you through the steps to add a new device. When a new device is added to a group, the New Device Template is applied, which was 7-1

41 created when the Group was created. The New Device Template uses the group parameters as a basis for the device properties. 1. Click on the name of the group to which you want to add the device. 2. Click on Devices in the menu bar and select Add New Device. The New Device Properties screen is displayed. Alternatively, you may double-click the Device leaf under the Group name to display the New Device Properties screen. Alternatively, click to highlight a device name in the right panel. Right-click the device name and a menu with device options is displayed. Select the Add New Device option to add a device. 3. From the New Device Properties screen, select the device type from the scroll down list. Enter a name for the device. 4. Click on Device Info to add optional information. Click Next to continue. 7-2

42 5. The wizard displays the Connection screen. From the scroll-down list, select the primary and secondary method by which the device will communicate with the DDM. For each communication method, enter the IP address, port, and other requested information. 6. On the next screen, the wizard then prompts you to enter a password for the device. You also have the option to use RSA SecurID. Select Yes to use RSA SecurID.. 7. Click Finish to complete the procedure. 8. After the device parameters and all the users for this device have been entered, the information can be loaded to the device from the DDM. To do this, select Reset Device from the Program menu.. This will reset the device to the default parameters and load the new system and port options. It will clear the device s User database and reprogram it with the latest User database for this Group. If you are adding several devices to a group, add all the devices first, and then select Reset Group from the Program menu Modifying Device Properties You can change the properties of an existing device. To do this, double-click on the device in the Device List view to display the Device Properties screen. You may then change the Device Info properties or click on the appropriate tab to modify other settings. Alternatively, you can click on Device in the Device List view, then click on Device in the menu bar. Select Display/Rename Device to display the Device Properties screen Renaming a Device The name of an existing device can be changed by highlighting the existing device in the device list and then selecting, Display/Rename Device, or by double clicking on the device in the Device List view Deleting a Device To delete a device, highlight the existing device in the Device List view and then click on Device in the menu bar. Select Delete device. You can also click on the device in the device list and then press the delete key. "Display/Rename Device Attributes" will display the Device Properties screen and "Delete Device" will delete the device from the group after the appropriate warning prompt. 7.2 Configuring a Device The Device Properties screen enables you to configure devices managed by the DDM. You can display this screen by double-clicking on the device name from the device list in the Main screen. 7-3

43 You can also display the Device Properties screen by clicking on the specific device name. From the menu bar, click Devices and then Display Device Attributes. The Device Properties screen has five tabs that display screens for entering parameters to set up for devices managed by DDM. Not all tabs apply to all device types. The fields on the screens depend on the device type selected. Device Info System Options Communications Defined Ports (for Port Authority, Port Authority SAM or a MultiGuard devices only) Remote Encryptions Device Info Screen The Device Info screen enables you to enter reference information about the device being added and define the communication paths by which DDM will access the device. To display the Device Info screen, Right click on a device. From the menu, select Edit Device (or double click on device), and then click the Primary Network Properties button 7-4

44 Device Type: Required. Select the device type from the dropdown list. Available devices include the Port Authority SAM (-11, -22, -44), UniGuard, Port Authority (-88, -44 or 84), or a MultiGuard. The default setting is UniGuard. Device Name: Required; for reference to the device s ID, such as company, location, etc Device Status link: Click on this link to view whether the program status of the device. IDLE: Device is ready to connect to the DDM IN USE: Device is connected to the DDM ALARM: Device is in the alarm state and can not be connected to the DDM To clear a device or to put in an alarm state, click the status link. Select Clear Device Status to put the device in an idle state. Select Set Device Status to Alarm to put the device in an alarm state. NOTE: When the DDM is communicating with a CDI device, device the status will read IN SE. If the device is not being used and the status still reads INUSE, click on the status and select Clear Device Status to IDLE. Serial Number: No entry is necessary. When the DDM accesses the device, it retrieves the device s serial number and adds it to the DDM database. RSA SecurID Enable: Set this to make the device act as an ACM device and as a replacement for an RSA SecurID ACM unit. The device can also be an RSA SecurID unit (CDI device/acm device). The serial number field will display the RSA Serial Number. Version: No entry is necessary. When the DDM accesses the device, it retrieves the device version and adds it to the DDM Database. 7-5

45 Primary Polling Device: This unit will be polled first when the Group is being polled if this option is selected. A group need not have a Primary Polling Device assigned. Each group can have one device that will be the primary device of Group. Asset Tag: Optional. Enter additional information to better define the CDI device. A maximum of 20 characters may be entered for this field. Information: Optional. Enter additional reference information. Primary Communications: Determines whether the primary method of accessing the device will be via a network, dial-up phone lines through a modem or through the serial port. If Serial Port is selected, you will be prompted to enter the COM port number the DDM will use to communicate with this device. Secondary Communications: Optional; Determines the secondary path of communication. If the Serial Port is selected, a window will request a COM port number that the DDM will use to communicate with this device. Time Offset: Optional; The hours ahead of or behind local time at the Network Administrator s location. The offset is used in report generation and to set the time of the remote devices. Example: If the DDM Manager is located in New York (EST) and the device is located in Los Angles (PT) then the offset will equal 3 (hours). Primary Network Properties: Click this button to configure the parameters of the IP card of a device that has IP capabilities, allowing access to the device through a network. RSA SecurID Enable: Click the RSA SecurID Enable button to display the Enter the Device Serial Number screen. In this screen, you can set the device as an RSA device. For RSA SecuID ACM only: If the device is a replacement for an RSA SecurID ACM unit, select this setting makes the UniGuard act like an ACM device. RSA SecurID unit: The device can also be an RSA SecurID unit (CDI device/acm device). The device will authenticate with an RSA Token and non-rsa user types. Use Dialing Options: Required if the device will be dialing a country or region requiring a Country or Region dial code. Country/Region List: (Displayed only if Use Dialing Options is enabled). A list of countries and their associated country codes. If used, dialing options will be enabled and the list will define the devices destinations country code. Dialout Modem Number: Required for devices that will be accessed via phone lines. When typing the phone number do not put in any spaces. IP Type, Internal/External: IP Type defines the type of IP card, Internal or external. Internal IP - The device is set for an internal CDI IP card. 7-6

46 External IP - The device is not set for an internal CDI IP card but it can be programmed by the DDM through an external IP connection. For example, the link port of a UniGuard (no IP card) can be connected to a Cisco Router's AUX port. To connect to the Cisco Router AUX port a connection would be made to the Cisco Router via an IP address (ex ). The DDM then can program (contact) the device via Network communications using this IP address. The following is only displayed in the devices that have the IP Option. Use as IP Dialout Connection (Optional) with internal IP card or external IP access device. The IP Dialout allows access to a modem for Dialout purposes but first connects to the modem via a Network IP Address (virtual modem port, e.g. Terminal Server, UniGuard device (version 8.13 and up)). If device type is a UniGuard and it has a network address, it can be used by the DDM as an IP Dialout connection by checking the Use as IP Dialout Connection option in the Device Properties window of the UniGuard Country Dialing Using the DDM Each device can be contacted by the DDM via Modem or IP Dial out communications using the dialing properties of the PC. If the option Use Dial Options is enabled in the Device Properties screen, the device can be set for a (destination) Country/ Region code by selecting the Country Name and corresponding Country Code from Country/region list in the Device Info screen. When dialing the device, the DDM PC will use the latest location information, the dialing properties of the PC, the destination country code, and the phone number defined in the DDM device s properties. Example of Country Dialing Using the DDM A device in the DDM database is to be dialed by two DDM PCs, one located in the US and the other located in the UK. They are connected to a SQL Server 2000 database located in the UK. We want to be able dial to the device, which is located in Japan, from both DDM locations. In each DDM location, the DDM can be set to use a particular location name. For the device in Japan, enable Use Dialing Options in the Device Properties screen. After User Dialing Options has been enabled, select Japan as the country from the Country/region list [ex. Japan (81)]. You will need to enter the telephone number of the device (ex ) for the DDM to dial it. 7-7

47 Device located in Japan dialed by DDM client in the UK Long Distance Access prefix = 787 (if defined) International Rule for UK is 00 DDM dials Device located in Japan dialed by DDM client in the US Long Distance Access prefix = 987 (if defined) International Rule for US is 011 DDM dials Setting the Network Properties of a Specific Device The Primary Networks Properties screen enables you to configure the network properties of a specific device. This screen is accessed from the Device Properties screen. To display the Primary Networks Properties screen, click the Primary Network Properties button on the Device Properties screen Network Properties, IP Configuration The Network Properties screen, IP Configuration allows for the configuration of an IP Port including a Gateway Address if required. Device IP Address: Required. Address of the IP Port. Port No: Port number used to communicate from the Network side ex. Telnet Port Number. To update the port number, click the Update Port 7-8

48 Number button. Break commands can only be sent out on Port 23 (Telnet Port). Use Default Port for DDM Programming: Click to enable the DDM to use of the device default port for programming. NAT Address: Required: Enter the NAT Address. Normally this is the same as the Device IP address. The purpose for this address is for the devices of an Internal network to be identified by one IP address when routed to a different network. Subnet Mask: Required: The Subnet Mask is a mask used to determine to which subnet an IP address belongs by filtering with this bit pattern. If your host PC is using the wrong subnet mask you will not be able to correctly identify all users on that subnet and many users could be unreachable by your computer. The subnet mask is defaulted to work with an 8-bit host address. For any other host bit address, you must change the subnet mask to the proper setting. Gateway Address Optional: The router/gateway address that allows you access to other network segments. This address must be within the local network Assigned Client PPP Address (Optional): Enter the Assigned Client PPP Address. The CDI device will send a request to the host at the PPP address entered, establishing a PPP session. Hardware Address: If the device will be programmed through a modem/dial-up connection you DO NOT NEED to enter the Hardware address, DDM will automatically receive it when dialed in. IMPORTANT: If the device will be programmed through the IP Network you must enter the hardware address in the Hardware Address field. SysLog IP Address: Optional: Enter the SysLog IP Address. If a Syslog Server application is running on your network, CDI Devices can report audit trail messages back to the Syslog Server for monitoring purposes. Backup SysLog Server: Optional. Enter the Backup SysLog Server address. SysLog IP Port: Optional: Enter the SysLog IP Port that the CDI Device can use for communication purposes. Radius IP Address: Optional: Enter the Radius IP Address Backup Radius Address: Optional. Enter a backup IP address for the Radius server. Radius IP Port Number: Optional. Enter the Radius IP Port Number Radius Key Optional: Enter the Radius Key. This can be up to 128 characters. 7-9

49 7.3.2 DDM Heartbeat Attributes The DDM Heartbeat is an automatic I m alive message that is sent periodically by a remote device to a DDM workstation enabled for real time logs. If heartbeat messages (or any other messages) are not sent to the DDM within the given time interval, a No Contact From Device alarm will be triggered for this device. The CDI device must have an Internal IP card running version 4.01 or above. DEVICE PROPERTIES SCREEN DEVICE INFO TAB PRIMARY NETWORKS PROPERTIES BUTTON DDM HEARTBEAT BUTTON HEARTBEAT ATTRIBUTES SCREEN Example: If the Maximum Number of Missed heartbeats is set to three beats and the Heartbeat Message Interval to 60 minutes, a No Contact From Device error is generated by the DDM each time the device does not respond with 180 minutes (3 x 60). Tip: A screen explaining the DDM heartbeat attributes can be displayed by clicking the Help button of the DDM Heartbeat Attributes window. DDM Real-Time Log Address: IP address of the DDM workstation that is enabled for Real Time logs. DDM Real-Time Log Port: The port number associated with the DDM Real-Time Log Address. The port number can range from 5000 and up. This port number will be set from the DDM workstation that is enabled for DDM Real Time Logs. Max No. Of Missed Heartbeats: Number of missed heartbeats that will trigger an alarm from the DDM workstation that is set for real time logs. The default is zero. Heartbeat Message Interval: The time in minutes between heartbeats sent by the remote device. For example, an interval of 60 would generate a heartbeat once an hour by the remote device. This interval would be programmed into the device. The default is zero. 7-10

50 Disable Heartbeat Attributes: Check the Disable Heartbeat Values box to disable the DDM Heartbeat for this device DNS Attributes Click this button to display the DNS attributes for this device SNMP Attributes Click this button to display the SNMP attributes for the device. Enter the primary and backup SNMP IP addresses and the primary and backup SNMP port numbers Network Properties (versions below 4.01) The Network Properties screen for CDI devices with an internal IP card running a version below 4.01 have the fields listed in previous section as well as the following fields. Use IP Address for Device Programming: This defines the IP address to be used by the DDM for the remote programming of the device. Enable ID/Password Authentication option. When enabled (check marked) all network connections to this IP address (e.g ) will first need to authenticate (ID/Password authentication) successfully before accessing the CDI device. This is only for CDI devices with the CDI internal IP Card version 3.03 and above. The IP Admin User ID and IP Admin Password fields are used for ID/Password Authentication and can be up to 10 characters. If the Enable ID/Password Authentication option is enabled, the Radius fields will be disabled. 7-11

51 The Update ID button for the IP Admin User ID field and the Update Password buttons for the IP Admin Password field will always be displayed when editing an existing device. The IP Admin User ID can only be updated using the Update ID button. The IP Admin Password can only be updated using the Update Password button. The Update Port Number button for the IP Port number field will always be displayed when editing an existing device. The IP Port number can only be updated using the Update Port Number button Network Properties (IP type set for external) The Network Properties screen for external IP type device has three fields. The fields are described below. Device IP Address: Enter the IP address of the IP card. Port No: Enter the port number for communication from the Network side, for example. Telnet Port number. NAT Address (Network Address Translation): Address that will allow multiple devices to use a single IP address to access the Internet. 7.4 System Options The parameters on this screen enables you to set user security levels, system password and key information, and first message delay time. The System Options screen may have different parameters depending on the device. User Security Level: Select the security method used when a user logs on to the device. The two methods available are User ID and User ID and Password. 7-12

52 IP Dialout (for devices with the IP Option). This enables the device to use the network for programming and communication purposes. You may select IP dialout with or without encryption, or you may disable (not allow) IP dialout. Sys Password: To change the system password of an existing device, click on the Update Password button to display the System Password Update screen. Enter the new password in both fields. For security purposes, the password will be displayed as asterisks. System Password: Click Update Password to change the system password. Update System Key: To change the System Key, click the Update System Key button to display the System Key Update screen. You may enter a key or click Generate to have the system create the key. A new System key may be set for a single device, for all devices in a group, or set all devices of a particular type in a group. First Message Delay Time (sec): Enter the time in seconds until the Enter User ID prompt is displayed. Login Inactivity Time: Enter the time in seconds after which the login call is disconnected if there is no data flow between the user and host Port Authority SAM Host Devices This section applies only to SAM host devices. Sam Client-Host Authentication (Only Port Authority SAM Host Device): This setting determines how the Host SAM Device will authenticate with the SAM Client Device. Disabled: No authentication takes place. User Authentication: The authentication process starts after the connection is up and the user ID has been entered. Auto Authentication: The authentication process starts as soon as the connection is up. 7-13

53 7.4.2 SAM Authentication Process When a user dials into a SAM Host Device, the SAM Host will start the authentication process by sending a start message to the client. After receiving this message the SAM Client will send back its 6-digit ID (Client ID) and its authentication credentials. The authentication credentials are derived using AES 128 Bit encryption for proprietary time base authentication using its client key. The SAM Host will then check if the 6-digit ID of the client is defined in its database. If it is not found, the SAM host sends back error message to the client. After the third attempt, it will drop the call. If the SAM Client s 6-digit ID exists in the SAM Host database, the host attempts to validate the Client s authentication credentials using the client key defined in the SAM Host s database. If the authentication validation fails, the SAM host will restart the process and make another attempt to validate the client s credentials. After three unsuccessful attempts, it will drop the call. If the authentication validation is successful, the user authentication process will continue Port Authority devices This following System Options applies only to Port Authority devices. Host DTR/RTS Loss of Signal time (sec) AES/DES Mode Select either Triple DES or AES encryption type UniGuard devices The following System Options apply only to UniGuard devices Host AT Command Access (Only UniGuards in the AT Command State) Enables the Host to access the modem in the AT Command State. Host Dialout: Enables or disables the Host to dial out using the modem. If Auto 7-14

54 authentication is selected, a dial-in user will make an authentication request for remote control management. Host DTR: This option monitors or ignores the DTR (Data Terminal Ready) signal from the Host port of the UniGuard. The default is Monitor. Power\IP Port Options: Select Program Only, Power Port Connection, IP authentication, or IP Dialout UniGuard Clients The following section applies only to UniGuard Clients AES/Triple DES Mode: Select the encryption type. Triple DES: The Host device will only do Triple Des encryption with Client Encryptors (UniGuard Clients and SSE Clients). (64 bit) AES: The Host device will only do AES encryption with Client Encryptors (UniGuard Clients and SSE Clients). The device must have a CDI AES Engine attached to its link port to do AES encryption. (128 bit) Device Mode: Select the security type. Standard Type: The Standard type is a normal CDI device. The default is Standard Device Mode. Automatic Authentication: The Automatic Authentication for UniGuard devices (above Ver 7.01) and Port Authority devices. If set for Automatic Authenticate, it will only communicate with devices in an encrypted session. Standard Device, Bypass Security: This is a CDI Device with the security disabled. 7-15

55 7.5 Communications Screen The fields of the Communications screen enable you to define modem/host port parameters of the UniGuard and the modem port of the Port Authority and Port Authority SAM devices. The screen is the same for both client and host devices. Modem/Bits Parity These options define the modem/host port of the UniGuard and the modem port of the Port Authority SAM and the Port Authority. AT Commands Settings AT commands to be sent to a remote device. To enable this feature, make the Send AT Command box is checked. When this box is checked, the AT commands entered will be sent to the device the next time it communicates with the device or when the AT command has been changed. UniGuard Communications screen When unchecked, the AT commands will not be sent. Deferred Messages The Primary, Secondary and Host Connect Messages (optional) Primary, Secondary, and Host Connect messages can be defined for the UniGuard and Port Authority SAM devices. The Port Authority device only uses the Primary and Secondary messages; there is no Host Connect message. Consult the UniGuard, Port Authority SAM, Port Authority and MultiGuard manuals for a description of these messages. This is only for CDI Devices that contain MultiTech MT2834ZDX modems or MultiTech Global modems. 7.6 Defined Ports Screen This screen enables you to set communication parameters for the Host and Power ports of the Port Authority, Port Authority SAM, and MultiGuard devices. This screen is not available for the UniGuard device since it is a single-port device. 7-16

56 Port Authority devices and Host Ports Device Port Authority-88 Port Authority-44 Port Authority-84 Port Authority SAM-44 Port Authority SAM-22 Port Authority SAM-11 Host and Power Ports 8 Host Ports and 8 Power 4 Host Ports and 4 Power Pots 8 Host and 4 Power 4 Host and 4 Power 2 Host and 2 Power 1 Host Port and 1 Power Port Port Authority, Defined Ports screen, showing configured ports is shown below. Click a line item to display the Port Properties screen for that port. Port Authority Communications screen showing configured ports Control Mimicking (for Both Port Authority SAM and Port Authority) Mimicking will allow the Host port of the Port Authority to copy the control signals of the Dial-In modem port. The default setting is Disabled. Modem Connect Message (for Both Port Authority SAM and Port Authority) The Modem Connect message may be enabled or disabled. If enabled the modem connect message is sent to the Host Port.. The default setting is Disabled. Master/Slave Device (for Port Authority only) The DDM software allows a Port Authority device to be defined as Master or Slave. This will allow the host ports of a Master Port Authority to connect to the Maintenance port of a Slave Port Authority. Using the Master/Slave function can expand the Port Authority up to 64 ports. The number of Ports available in a Master/Slave connection is equal to the Number of Port Authorities multiplied by 8, MINUS the number of Slave units. 7-17

57 A diagram showing an example of Port Authority Master-Slave cable connections is shown in Appendix Port Properties - Host Port Configuration Each Host Port 1 through 8 can be assigned a unique name (optional), Baud Rate, Data Bits, and Parity (required). If you double-click on one of the Line items for the Ports the Port Properties screen will display. In this screen, you may change the Port Name, Baud Rate and Bits/Parity of individual Ports Power Port Configuration Each Power Port 1 through 8 can be assigned a value (the number of ports is dependant on device type). Power Port Value is the time in seconds that the device, controlled by that port, will have its power in the off state. To edit the name and power port value of the individual ports, double-click on one of the line items the screen Slave Device Setting (For Port Authority Only) Double-click on one of the Line items in the Port Configuration Screen will populate. Here you may select a device from the slave device list to set up a daisy chain, between two Port Authority Devices Programmable ESC Code Programmable ESC Combo list functionality is only for Port Authority devices with firmware at or above 3.05.xx. After accessing and modifying a host or power port of a Port Authority device, a user exits the port by entering the esc character. The user may then access a different host or power port. If the ESC character interferes with other functions of the host application, the user may need to use a different character. The Programmable ESC code option allows the user to change the ESC code from one character to another. The default esc character will be changed and the new ESC code character will be installed after the DDM has programmed the Port Authority device. 7-18

58 For example, the Programmable ESC character is set as an esc character. When the user wants to exit this host port, an esc character would be keyed. The device then sends the prompt Type EXIT with a CR (return). After keying in EXIT with a return, the user would be brought back to the Port Authority Port list to access a different host or power port. 7.7 Remote Encryptors Screen This screen will only be available if Encryptor ID's are to be assigned to devices (default) in the Setup Screen (click Settings in the menu bar and then select Setup). Clicking on "Add Encryptor ID" or editing an existing ID will display the Encryptor ID INFO window. For a MultiGuard device, this page will be blank. Note: Encryptor IDs can only be added or modified from the Group Modification screen, which is show below. ENCRYPTOR ID: The encryptor ID is the unique 6-digit ID of the remote encryption device. Key Field The Key field holds the encryption "Seed Key". The Seed Key is a 16- digit (48 digit using triple DES) hexadecimal key that can be manually entered or can be automatically generated by the program by clicking on the "Generate" button. The triple DES key is shown as three separate 16-digit keys. The same key(s) must be installed in the remote encryption device. The default DES setting is triple DES. 7-19

59 This option is located in the Setup dialog window under Settings menu in the Menu bar. When editing an existing Encryptor ID, Key1, Key2 and Key3 fields will display as asterisks. Key Signature Field This is the Signature of the Primary Key. The Key Signature of the remote Encryptor is compared with this Key Signature. If both Signatures are the same, then the Keys will be the same. If the remote unit is set for single DES, the first 16 hex digits MUST be the same as the remote unit s single hex digit key. 7-20

60 8 CLIENT ENCRYPTORS A client encryptor is a CDI device that is used to dial out to another UniGuard or Port Authority when a session must be encrypted. This section explains how to add and configure the following client encryptors. Port Authority SAM Client UniGuard Client SSE Client 8.1 Port Authority SAM Client A Port Authority SAM Client is a Port Authority SAM device that can be programmed to be a client encryptor by the DDM. The Port Authority SAM Client then allows remote users to authenticate with a SAM Host using AES 128 Bit Encryption for proprietary time base authentication. To add a Port Authority SAM Client, double-click on the Client Encryptor box in the Group List that the Port Authority SAM Client is to be placed or highlight Client Encryptor, then click Devices-Add Device. This will bring up the Select Client Device Type List screen. From the Select Client Device Type List, click on the Port Authority-11, 22, or 44 SAM Client. This will open the Device series of screens. Enter the name of the client device. Phone number: Phone # of the Device you are adding. Primary and Secondary connection: Type of connection you will use when programming the Client Device. For Client Devices with IP, enter the appropriate information in the IP Address, Port, and Hardware Address fields. Note: The IP Port defaults to 10001; you may change this if necessary. 8-1

61 If you are programming the Client Device via a modem, enter the IP Address; the Hardware Address will then automatically be pulled from unit. If you are programming the Client Device via network you will have to provide the Hardware address along with the IP address. After the information has been entered, the following message is then displayed Device Info Screen for a Port Authority SAM Client Device, The Device Info screen enables you to enter reference information about the client encryptor being added and to define the communication paths by which DDM will access it. Device Type: Required. Select the device type from the dropdown list. Device name: Required. for reference to the device s ID, such as company, location, etc Licenses Available: The number of licenses that are available for that Device Type. Phone Number: Enter the phone number of the device. Device ID-S/N: No entry is necessary. When the DDM accesses the device, it retrieves the device s serial number and adds it to the DDM database. 8-2

62 Version: The firmware version running in device will populate here after programming. Primary Polling Device: This unit will be polled first when the Group is being polled if this option is selected. A group need not have a Primary Polling Device assigned. Each group can have one device that will be the primary device of Group. Asset Tag: Optional. Enter additional information to better define the CDI device. A maximum of 20 characters may be entered for this field. Information: Optional. Enter additional reference information. Primary Communications: Determines whether the primary method of accessing the device will be via a network, dial-up phone lines through a modem, or through the serial port. If Serial Port is selected, you will be prompted to enter the COM port number the DDM will use to communicate with this device. Secondary Communications: Optional; Determines the secondary path of communication. If the Serial Port is selected, a window will request a COM port number that the DDM will use to communicate with this device. Time Offset: Optional. The hours ahead of or behind local time at the Network Administrator s location. The offset is used in report generation and to set the time of the remote devices and be synchronized with the DDM. Example: If the DDM Manager is located in New York (EST) and the device is located in Los Angles (PT) then the offset will equal 3 (hours). Primary Network Properties: If the Device has IP capabilities click this button to configure the parameters of the IP card. IP Address: The IP address assigned to this unit. You may also edit the IP address in this field as well. Use Dialing Options: If checked, will use the dialing properties of the DDM PC, the defined destination country code for the device, and the Phone Number in the dialing process. Country/Region List: (Displayed only if Use Dialing Options is enabled). A list of countries and their associated country codes is displayed. If used, dialing options will be enabled and the list will define the device s destinations country code. Dialout Modem Number: Required if device will be accessed via phone lines. When entering a phone number, do not include spaces. IP Type, Internal/External: IP Type defines the type of IP card, Internal or external. Internal IP - The device is set for an internal CDI IP card. External IP - The device is not set for an internal CDI IP card but it can be programmed by the DDM through an external IP connection. For example, the link port of a UniGuard (no IP card) can be connected to a Cisco Router's AUX port. To connect to the Cisco Router AUX port a connection would be made to the Cisco Router via an IP address (ex. 8-3

63 ). The DDM then can program (contact) the device via Network communications using this IP address System Options for Port Authority SAM Client Encryptor The Port Authority SAM Client is selected by clicking on Client Encryptors, below Devices in the Group list. The Device Properties screen for the SAM Client is displayed. Click the System Options tab to display security parameters. Sys Password: This password is used in the authentication process between the unit and DDM. The default is password. To change the password, click on Update Password. Enter the password, and then confirm it by entering it again in the appropriate field. Important! If the default password is changed and the original parameters are deleted from DDM you will have to set the correct password in this field for DDM to successfully program the Client Device. 8-4

64 The authentication process can be disabled from the System Options screen. Display the System Options screen by clicking the tab in the Device Properties screen. Under SAM Client Host Authentication, select Disabled. The red Client Key Info button enables you to provide client key information. This client key is used by the Port Authority SAM Client when authenticating with the SAM Host Device (the device to which the SAM client is connected). Every Port Authority SAM Client has a client key, which is used along with the unit s Client-ID in the authentication (AES 128 Bit Encryption for proprietary time base authentication) process between the SAM host device, which initiates the authentication process, and the SAM Client. Generate Client Key (When adding a new Port Authority SAM Encryptor) When adding a new Client Encryptor, the Generate Client Key window with three keys of 16 hex characters is displayed. You may enter your own keys or have DDM generate them for you by clicking Generate. Encryption Key Info (when editing an existing Port Authority SAM Encryptor) When this key is clicked, the Encryption Key Info window will display. The key consists of three hex keys. You may change the key by entering your own key or by clicking Generate to have the DDM create it. 8-5

65 Important! If you change the client s key, you must program all Sam Host Devices in your group so that the correct key will be stored into the Host Device and the authentication process will not fail Communications Screen for Port Authority SAM Client Device The Communication Screen contains the modem parameters for the device. Modem Port Bits/Parity: Select the bits and parity of the modem. Defined Messages: These are messages you may program the unit to display when it is accessed. Primary Message will display before the authentication process begins (before user prompt populates). Secondary Message will display after User ID is entered. Modem Baud Rate: Sets the Baud Rate for the Modem Port Extra AT Command Settings: If anything is changed in the field under Send AT Commands or if Send AT Commands is checked, the AT Command in that field will be programmed into modem. You do not have to enter an AT in the front of command string and do not include spaces or delimiters between commands. Modem Inactivity Timer (minutes): This will set the number of minutes during which the modem detects no activity before it disconnects. If this field is set to 0, this feature will be disabled. 8-6

66 8.2 UniGuard Client Encryptor To add a UniGuard Client encryptor, click on Client Encryptors, in the Group list in the left pane of the Opening screen. From the Select Client Type List select UniGuard Client. Only the fields that are unique to the UniGuard client encryptors are described in this section. Common fields are described in the previous sections AES/TDES Mode for UniGuard Client Triple DES: The Host device will only do Triple Des encryption with Client Encryptors (UniGuard Clients and SSE Clients). (64 bit) AES: The Host device will only do AES encryption with Client Encryptors (UniGuard Clients and SSE Clients). The device must have a CDI AES Engine attached to its link port to do AES encryption. (128 bit) Both: This will enable the device to operate with Host Encryptors (UniGuard and Port Authorities) in both Triple DES and AES modes. The UniGuard Client must also have an AES Engine connected to its link port to be able to do AES Client Encryptor pre-dialog When Adding or Editing a Remote or Client Encryptor, DES/AES Display. Window is displayed. The Encryptor information will be displayed according to the display type (DES or AES) selected. The DES display has three keys of 16 hex characters each. The AES display has one key of 64 hex characters. Encryption Key DES Display Encryption Key AES Display 8-7

67 8.3 UniGuard Client A UniGuard Client is a UniGuard device that can be programmed to be a client encryptor by the DDM. The UniGuard Client then allows remote users to securely connect to CDI devices via Triple DES/AES communications Adding a UniGuard Client To add a UniGuard Client, double click on the Client Encryptor box in the Group List that the UniGuard Client is to be placed or highlight Client Encryptor, then click DEVICES- ADD DEVICE. The Select Client Device Type List screen is displayed UniGuard Client Device Information Screen This screen provides for entering reference information about the UniGuard Client and defines the communication path by which the DDM software will access the device. Device Type: Select the device type from the dropdown list. Device name: Required for reference to the device s ID, such as company, location, etc 8-8

68 Licenses Available: The number of licenses that are available for that Device Type. Phone Number: Enter the phone number of the device. Device ID-S/N: No entry is necessary. When the DDM accesses the device, it retrieves the device s serial number and adds it to the DDM database. Version: The firmware version running in device will populate here after programming. Asset Tag: Optional. Enter additional information to better define the CDI device. A maximum of 20 characters may be entered for this field. Information: Optional. Enter additional reference information. Primary Communications: Determines whether the primary method of accessing the device will be via a network, dial-up phone lines through a modem or through the serial port. If Serial Port is selected, you will be prompted to enter the COM port number the DDM will use to communicate with this device. Secondary Communications: Optional; Determines the secondary path of communication. If the Serial Port is selected, a window will request a COM port number that the DDM will use to communicate with this device. PC Time Offset: Optional; The hours ahead of or behind local time at the Network Administrator s location. The offset is used in report generation and to set the time of the remote devices and be synchronized with the DDM. Example: If the DDM Manager is located in New York (EST) and the device is located in Los Angles (PT) then the offset will equal 3 (hours). Primary Network Properties: Required for devices with IP capabilities. Click this button to configure the IP card parameters of a device that has IP capabilities.. Use Dialing Options: If checked, will use the dialing properties of the DDM PC, the defined destination country code for the device, and the Phone Number in the dialing process. Country/Region List: (Displayed only if Use Dialing Options is enabled). A list of countries and their associated country codes. If used, dialing options will be enabled and the list will define the devices destinations country code. IP Type, Internal/External: IP Type defines the type of IP card, Internal or external. Internal IP - The device is set for an internal CDI IP card. External IP - The device is not set for an internal CDI IP card but it can be programmed by the DDM through an external IP connection. For example, the link port of a UniGuard (no IP card) can be connected to a Cisco Router's AUX port. To connect to the Cisco Router AUX port a connection would be made to the Cisco Router via an IP address (ex ). The DDM then can program (contact) the device via Network communications using this IP address. 8-9

69 8.3.3 Network Properties for a UniGuard Client Device IP Address: A unique identifier used to define a specific CDI device in a TCP/IP Network. Port No The port number that you will use to communicate from the Network side ex. Telnet Port number. NAT Address (Network Address Translation) The address will allow numerous devices to use a single unique IP address for translation into the Internet world. The purpose for this address is for an internal network to be identified as one IP address when routed to a different Network which will create less traffic. Subnet Mask - The Subnet Mask is a bit pattern that is used to mask off the network portions from the host PC portions of the address. If your host PC is using the wrong subnet mask you will not be able to correctly identify all Users on that subnet and many users could be unreachable by your computer. (Reminder: Standard class A 8/24 (net/host), class B 16/16, class C 24/8 bits) Gateway IP Address This Router/Gateway address will be the door entrance to allow you access to other Network Segments. Make sure this address is within the local Network. SysLog IP address Optional. If you have a Syslog Server application running on your network the CDI Devices can report audit trail messages back to the Syslog Server for monitoring purposes. SysLog IP Port This will be the virtual port of the Syslog Server that the CDI Device needs to know for communication purposes 8-10

70 Assigned Client PPP Address In order for the CDI device to negotiate a PPP session, you will need a PPP Address for the CDI Device to assign to your application. Make sure the PPP address is within the local Network Segment into which you are dialing UniGuard Client, System Options UniGuard Client, System Options screen User Security Level: This establishes the method when the User Log s on to the device. Host AT Command Access: Enables the Host to access the modem Host Dialout: Enables the Host to Dialout using the modem. Host DTR: This option monitors or ignores the DTR (Data Terminal Ready) signal from the Host port of the UniGuard. The default is Monitor. Link\IP Port Options: The Link port options are; Link Connection, Power Port Connection and IP authentication, IP Dialout/No Encryption and IP Dialout/Encryption. ASE/TDES Mode for Client Encryptor (UniGuard Client) 8-11

71 Added to the AES/TDES Mode for the Client Encryptor is Both This will enable the device to operate with Host Encryptors (UniGuard and Port Authorities) in both TDES and AES modes. The UniGuard Client must also have an AES Engine connected to its link port to be able to do AES. Password: When editing an existing device, the password will display asterisks. System Key: The User can define his/her own default System Key in the Setup Dialog page under Settings. Update System Key: Clicking on the Update System Key bar will display the System Key Update screen. Set an existing device for a new System Key, or set all devices in a group or set all of a particular device in a group for a new System Key (same Key). Client Key: Clicking on the Client Key bar will display the Encryptor ID Information screen. Enter a key or click Generate to have the DDM create one. First Message Delay Time: The First Message to be sent (defined in the Communication screen, Primary, Secondary and Host Connect) can be delayed by entering the number of seconds for the required delay. This allows time for the modem to connect. Inactivity Time: The number of minutes that will cause the unit to signal the modem to disconnect if exceeded. A zero (default) will disable this function Communications Screen UniGuard Client The Communications screen allows for setting the parameters that the UniGuard client will use to communicate

72 Baud Rate: Clicking the down arrow along side the Baud Rate window will display the available baud rates. The baud rate can be set between 1200 Baud and 230,400 Baud. An Auto Baud is also available which will seek out the Baud Rate from the incoming data. Primary, Secondary, and Host Connect Messages: The primary, secondary and host connect messages can also be defined here (optional). Clicking on the appropriate bar will open a blank screen in which the message can be entered. Enable the AT Command: Click on the Send AT Command to enable the AT Command to be sent. Enter the AT Command: The AT Command can be entered in the window beneath the Enable AT Command. 8.4 SSE Client The SSE Device acts as a client encryptor and comes with a unique 6-digit ID. The SSE Triple DES/AES key can only be programmed by the DDM. An SSE Client has a hardware component and a software component. SSE Secure Session Encryptor (CDI USB Token) that includes a USB cable. One end of this cable is attached to the USB port of the PC. The other end is connected to the SSE hardware device. A device license is required for the SSE hardware device to be managed by the DDM. SST Secure Session Terminal is a Communication Software program (Windows ME, 98, 2k, and XP platforms) that allows remote users to securely connect to CDI devices via Triple DES/AES communications using the SSE. 8-13

73 8.4.1 Adding an SSE Client To add an SSE Client, double-click on the Client Encryptor leaf in the Group List that the SSE Client is to be placed. The Select Client Device Type List screen is displayed. Click on the SSE Client to display the SSE Client Information screen. If no SSE Device licenses are available, a message will be displayed asking the user to contact CDI for additional licenses. Minimum Pin Length The Minimum Pin length is the least number of characters that may be entered for the pin. The range is from 4 to 12 characters. The pin must be between the minimum length and 12 characters. Unlock/Lock SSE Device The user can unlock or lock the SSE (default is unlocked). After a consecutive number of failed logon attempts, the SSE is put into a locked state. When locked, the SSE device cannot do encryption. SSE Client Information screen, Modem Dial Out Communication Type Once locked, the SSE must be unlocked before logons can be attempted. When unlocked the SSE is put in new pin mode. Setting the Lock SSE Threshold value The Lock Threshold value can be accessed from the Setting menu bar in the main screen. Click on Settings in the menu bar, then select Setup in the drop down screen. The threshold value is the number of consecutive failed logon attempts that will put the SSE in the locked state (default is 5). If the threshold is not reached and a successful logon has occurred, the SSE lock value is reset. If the SSE lock 6hreshold value is set to zero, then the locking of the SSE will be disabled. SSE Client Information screen, Local USB Communication Type Require Pin Validation If enabled (default is enabled), the user must enter a pin to logon to the SSE device. Require New Pin If enabled (default is enabled), the user must enter a pin to logon to the SSE device. 8-14

74 Defining the Communication Type Communication Types available are Modem Dial out, Modem Dial in, Direct to a COM Port or Local USB Selecting the Communication Type To display a list of Communication Types, click on the arrow of the Communication Type field. Click the appropriate communication type to select it. Information Modem Dial Out Selecting Modem Dial Out will require that you enter the phone number in the Modem Dial Out window. Modem Dial In Selecting Modem Dial in will require entering of the Wait for connection value. This is the number of minutes that the DDM will wait for a connection; the maximum value is 15 minutes. Direct to COM Port Selecting Direct to a COM Port will require choosing the desired COM Port. Local USB Port Selecting the Local USB Port will require choosing the COM Port to which the SSE device is connected. Information about the SSE Client can be entered in the Information window. This information will be displayed when this screen is displayed. Selecting the SSE Key Info Button Clicking on the SSE Key Info Button on the SSE Client Information screen will display the Encryptor ID Info screen. You may enter the Encryptor keys or you may click Generate to have the DDM produce one. After the device has been added, it must be programmed. Please refer to the Program Devices section. 8-15

75 9 USERS User information is stored in a database managed by the DDM. When you add, modify, or delete a user, a change is made to the database stored on the DDM PC. The databases of the remote devices can then be programmed with the updated information. This section contains information about managing users and includes the following: Add, edit, and delete a user User types Display a list of users of a group or all users in the system Program devices with the updated user information 9.1 Add a user You must first select the group to which a user is to be added. To do this, click on "Users" under the Group to which the user is being added. Click on User in the Menu Bar and select the Add New User to Selected Group option. The User Properties screen is displayed. Shortcut: Double-click on Users in the desired group to display the User Properties screen and add a new user. A user may belong to more than one group. A user from one group can be copied or moved to another group by dragging the user to the appropriate group. To do this, display the complete user list, click on a user id and drag it to the appropriate group. 9-1

76 The User Properties screen has 5 tabs: User Info, User Security, Token Key Info, RSA SecurID, and Token Info User Info User Type: Required. Allows you to select the type of user access for a particular user and thus the security level. Select the type of authentication that will be used to confirm the user identity from the pull-down option list. Available user types and descriptions are listed in the following table. User Type RSA SecurID Token Password and ID Callback (MultiGuard only) Roving CryptoCard DPI Token Encryption Description User must have an RSA token and pin to use the passcode to gain access to a device User inputs a User ID and password to gain access Requires a valid ID and Password and the user to be connected to the phone number listed in their user profile. The Device will call back the user on the designated number Same as call back but the user specifies the callback number when they first try to authenticate, this number is deleted from memory after the session Proprietary type token, user must have the User ID, PIN, and token Proprietary type token, user must have the User ID, PIN, and token User ID and Password and the whole session is encrypted. For an encrypted session, the user must dial out through a UniGuard Client or normal modem with an SSE. Encryption Mode can be selected for all of the above options so that the access and session are both secure. 9-2

77 User ID: The ID that the user will enter to log on to the system. The User ID may have a maximum of 10 characters in length. User Name: Enter the name of the user. You may enter the actual name or a nickname. User Information: Optional: Enter descriptive information about he user. Assign User to Port Authority Ports: Users for Port Authority units can be granted access to any single port, group of ports, or to all ports. Each port can be clicked separately. If a user is to have access to all the ports in the Port Authority, then the ALL box may be checked, as shown. Lockout User allows the administrator to lock out a user from a group without having to delete their profile. The user will then be included in the locked user list. Note: To unlock a locked-out user, click to uncheck this box. Click Accept to continue. Depending the User Type selected, a message is displayed indicating additional information must be entered in the User Security screen. For example, if you selected User ID and Password as the security type, then a message informing you that you must enter a password is displayed User Security The fields displayed on this screen depend on the User type selected on the User Info screen. This screen applies to Password and ID, Call Back, Roving, and Encryption user types. Password: The User Password can be up to 10 characters in length and is used by the UniGuard, Port Authority, or MultiGuard device to authenticate the user. Note: When modifying the user properties of an existing user who has a password field enabled, the password will be displayed as asterisks. 9-3

78 Call Back Number: (applies only to Callback or Roving user types). Enter the phone number of the line to which the user s modem is connected. Pager field: (applies only to UniGuard and Port Authority devices; a user must be a Pager user type). Enter the pager number for a "Pager" user type. (Ex. 1,800, ,,,,,,). The commas provide pauses of approximately 2 seconds Token Key Info Screen This screen will only be available if "Token User, Cryptocard User or DPI Token User was selected as the user type in the User Info screen. Token Serial Number (optional): Enter the serial number or click Generate to have the DDM provide one. Token Key Information allows the administrator to set up the Token encryption key and PIN Primary Key: The Primary Key field is required and MUST contain 16 HEX digits. You may enter a key or click Generate to have the DDM enter a key. Token Type field (optional): Select Hex or Octal. Primary Pin (optional): Enter a pin for the Primary Key or click Generate to have the DDM enter a PIN. Secondary Key and Secondary Pin fields are unused and are reserved for future use. When editing an existing User of this type the Primary field will be displayed with asterisks. 9-4

79 9.1.4 RSA SecurID Token Info The following information applies to when adding a new RSA SecurID Token User. RSA token information is stored on the disk supplied with the tokens. When a new RSA SecurID Token user is generated and the RSA SecurID Token Info tab is first selected, you are prompted for this disk. The token serial number selected from the list of available tokens. The Token Serial Number, Birth Date, and Death Date are then automatically updated. To update this information, press the Update RSA SecurID Token Record button RSA SecurID Token Info user properties apply to new and existing RSA token users. RSA SecurID Token Serial Number: The permanent number on the token. RSA SecurID Token Death Date: Date the token will expire (and will require replacing) 9-5

80 RSA SecurID Token Pin: PIN that is used to authenticate the user. New Pin Mode: Selected the first time the user is entered into the database. When the user logs on for the first time they are given their password and the device registers that they have authenticated. Next time the DDM programs the device it retrieves this information and automatically unchecks the New Pin Mode box. Ideally the NOC would get all users to first only authenticate to one device, then program that device, get the pins and validation then program the other devices. DDM Assigned: Checked if the Administrator wishes to assign the PIN User Assigned: Blanks out the PIN and allows the user to enter their own PIN when they first authenticate Encryption User and ENCRYPTOR Encryption Users only apply to UniGuard, Port Authority 88, and Port Authority 44 units. This screen will only be available if "Encryption User" was selected as the user type in the User Info screen and ENCRYPTOR keys were designated for assignment to users in system setup (in the Setup dialog under Settings). All fields are required. Encryptor ID: Enter the unique six digits ID of the remote encryption device. NOTE: The Encryption Type (single or Triple DES/AES) that has been designated in the System Settings is indicated: Key Field: Enter the encryption "Seed Key". This is a 16 or 48 digit hexadecimal key that can be manually entered or can be automatically generated by the program by clicking on the "Generate" button. The size of the field depends on the encryption type (single DES, 16 Hex Digit field and Triple DES (TDES), 48 Hex Digits). 9-6

81 Key Signature: Signature of the Primary Key. The Key Signature of remote Encryptors is compared with this Key Signature. If both Signatures are the same then the Keys will be the same. Note: If triple DES is the selected Encryption type, three 16-digit hex keys will be required when editing a User of this type The Primary field will display all asterisks. The encryption type is set in the Setup dialog menu from the Settings button. The default is Triple DES (TDES). 9.2 Adding Existing Users to a Group A user can belong to as many Groups as necessary. All users in a Group will have access to all devices in that Group. Port Authority devices are the only exception. Because Port Authority devices have multiple ports, a user may be restricted from some ports. Users can be added to another Group by clicking on the User and holding down the left mouse button while dragging the User to the desired Group. This will result in a sub screen asking, Do you want to add the user (User ID) to the group (Group Name). 9.3 Delete a User from a Group To delete a user from a group, click on Users under Group. The users of the group are displayed in the right pane. Click on the User ID and then select Delete User from the User dropdown menu. 9.4 Listing Users of a Group Clicking on "Users" from the Main Menu bar will display all the users in the database for the selected Group. Users can be added, edited, or deleted from the selected Group s database. The properties of an individual user can be displayed either by double clicking on the User ID or highlighting the ID and selecting the desired action from the "Users" pull down menu. 9-7

82 9.4.1 Alternate Method of Listing Users of a Group To display a list of all users of the selected Group, double-click on Users of the selected Group, You may then perform the following tasks. Sort the list. Click on a column heading to sort by that heading. You may sort by User ID, User Name, User Type, and Token Serial Number. Add a user to another group by dragging the user from the system User Management list to another group. Modify a user. Double-click on a user whose properties you wish to edit. The User Properties screen for that user is displayed. You may also select a user by clicking on the User ID, and then selecting the Display User option from the User dropdown menu. 9.5 Modify Properties of a User You can modify a user by highlighting the User ID from the list of users and selecting "Display User" from the menu bar. The User Properties screen is displayed. 9.6 User Lock List The User Lock List is a list of users that are denied access to some or all devices of a Group. To display the User Lock list of a Group, select the group by clicking on the Group name. After the group has been selected, double-click on User Locked List for that group. To unlock a user, click on the User ID to select the user. Right-click on the user and select Edit User from the User menu. The User Properties screen is displayed. Click to uncheck Lockout User. 9.7 User Management List The User Management List is a list of all users of the DDM System. To display the list, click Users from the Menu bar, and then select Display Complete User List for System. The User Management List for System screen displays. By clicking the appropriate button under Display List Format, you can display the User List (all users) or only RSA users 9-8

83 From the User Management List, you can perform the following functions: Add a user to another group by dragging the user from the system User Management list to another group. Delete a user from all groups. Sort the users by User ID, User Name, User Type, or Token Serial Number by clicking on the column heading. Modify a user. Double-click on a user whose properties you wish to edit. The User Properties screen for that user is displayed. You may also select a user by clicking on the User Id, and then selecting the Display User option from the User dropdown menu. NOTE: After making changes, you will need to distribute updated user information to the remote devices. Please refer to the Programming section for more information. 9-9

84 10 SETTINGS The options of the Settings menu allow you to specify DDM system-wide setting and to perform system wide functions. These include compacting databases, adding and deleting administrators, set up polling, and entering addresses for an alert list. The Settings Menu has options that allow you to set certain DDM parameters and perform certain administrative tasks Setup Screen The options in this screen enable you to set the communication parameters for the DDM. These include the DDM PC modem properties, encryption information, the number of unsuccessful login attempts by a user before lockout, the number of SSE unsuccessful attempts before lockout, and other parameters. 10-1

85 Modem List: Select the modem that will be used to connect to remote devices. The modem list reflects the modem list displayed in the Control Panel of the computer. Modem properties can be displayed by clicking the Modem Properties button. Update Cycle and Time Update Cycle: Enter the time interval between polling of the remote units. The Update period can be set for days, hours, or minutes. This field only applies to MultiPolling DDM users and users who have been granted access to Automatic Services by the Master Administrator. Default values are Update Cycle 2 and 00:00 for Time. Time: Enter the time (hours-minutes) that the update should occur. Assign IP Address: This box must be checked when setting up a UniGuard, Port Authority, or MultiGuard device with an IP card via the network. When this option is enabled and the DDM is programming a device via the network (Program Reset Device), it first tries to ping the selected IP address to see if the address exists. If the IP address does not exist, the DDM assign its IP address to the network. The DDM will then attempt to program the selected device via the network. Constantly Polling Devices: Click to enable continuous polling of pre-defined CDI devices. This option applies only to this DDM PC. This option must be selected if there are users enabled for Automatic Services and for Multi-Polling users. Polling is activated when the Constantly Polling Devices) box is checked or the Update Period is set. The DDM also needs to be configured as a polling station with devices specified for polling (Settings Multiple DDM Polling Setup). DDM Communications Encryption Mode can be set to Single DES or Triple DES; this only applies to the DDM program sessions. Encryptor Ids: Sets the ENCRYPTOR Key Exchange to use the user key or the device key. The default setting is Device Key. Display Token Key: Only applies to token type users. The Token KEY can be displayed in either HEX (0-9,A-F), OCTAL (0-7) or hidden with asterisks. If the Display Token box is not checked, asterisks will conceal the Token KEY. This is the default setting. If the Display Token box is checked, the Display Token KEY window will expand to include a bulls-eye for HEX Display and another for Octal Display. This Token Key will be displayed in the Token Key Info field in the User Properties screen, (Token Key Info). Default System Key: When new groups are added, this default System Key will be the System Key for all new devices added to these respective groups. User/SSE Lockout Attempts: The number of times that a user can enter incorrect logon information before being locked out of the system. The default is 5. If set to 0, this feature is disabled. 10-2

86 If the threshold is not reached and a successful logon has occurred, the SSE lock value will be cleared to zero. If the lock threshold value is zero, then the locking of the SSE will be disabled. DDM Real Time Log: Enable this for real-time logging. DDM Real Time Log Port: Specifies the port on which real-time log entries are received by the DDM Modem Properties This displays the modem properties defined for the PC.. The Port Speed should be set to 9600; the other settings should not be changed. Advanced Modem Properties The Advanced tab will allow changes to be made in the Terminal Window and Hardware Settings Setup Properties for UniGuard UniGuard Power Port Reset Override: If enabled, the DDM will send the command to restore the UniGuard device to default settings when Reset Device or Reset Group (Program Reload Device or Reload Group) is selected Database Utilities These utilities are used to compact and repair DDM databases. 10-3

87 10.3 DB Administrator List The DB Administrator List screen lets you manage administrators and assign users to automatic polling. There must be at least one Master Administrator but no more than three. Administrators may be added and removed from this list. Master Administrators are the only DDM users who can do the following. Add, remove, and change Administrators. There must always be at least one administrator. Change the Master Administrator. Assign a DDM User for Automatic Services. Automatic services are the automatic polling of devices, automatic purging of Audit Trail data, and automatic backup of DDM database files Enabling Automatic Services and Database Management Automatic Services sets the user for the automatic polling of devices, purging of Audit Trail data, and backup of DDM database files (ODBC version only). The user will not be able to do any database management or communicate manually with the CDI devices in the field A DDM User can be enabled for Automatic Services and Database Management or for Automatic Services only. To do this, click Assign and enter the user name. Select the appropriate Automatic Services option. 10-4

88 All administrators must be enabled for Automatic Services and Database Management. Non-administrator DDM users can be set only for Automatic Services. DDM Users not set for Automatic Services will be able to do database management and communicate manually with the CDI devices in the field Unlock Database Records Database records can be unlocked from the Database Master Administrator List screen. Click on the Unlock DB Records bar to display the Unlock DB Records screen. Select Unlock All Records to unlock all records without first querying them. Select Query Lock Records to query the records before unlocking them. This enables you to select the records to unlock DDM Seat Licenses DDM SQL only A DDM Seat License is required to access the SQL Server DDM Databases. If multiple DDM Users access the DDM database concurrently, the DDM Seat License limit must be equal to or greater than the number of concurrent DDM users. The DDM Seat License screen displays the number of Seat Licenses available. From this screen you can clear all DDM Seat Licenses or Add additional DDM Seat Licenses. This is only for the DDM SQL version Add Seat Licenses to Database DDM SQL only DDM Seat Licenses can be added from the Administrator List screen by clicking the DDM Seat License bar in the Add DDM License area. You are then prompted to place the DDM Seat License disk in the drive. After you click OK, the Open File screen will be displayed. Select the location where the Updated DDM Seat Licenses should be placed. 10-5

89 10.4 Device License Each device added to the DDM must have a license. The number of devices that can be added to the DDM depends on the number of available licenses. The DDM is shipped with a default number of Device Licenses (3 UniGuards, 2 Port Authority units, and 1 MultiGuard). Licenses for additional units can be obtained from CDI. The licenses must then be added to the database. (See Adding Device Licenses to the Database section). The Device License screen displays the following information for UniGuard, Port Authority, MultiGuard, and SSE units. The number of device licenses available in the database. The Device License Limit in the database for each device type. The number of device licenses used in the database for each device type Adding Device Licenses to the database To add a device license to the database, insert the Device License CD-ROM. The licenses are stored in the license.lod file. From the Settings menu, select the Device License option and click the Add Device License button. From the list of files, select the license.lod file. After the licenses have been added, you may click Update Device Licenses to update the values displayed on the screen RSA SecurID Token Attributes The RSA SecurID Token Attributes files set the RSA pin attributes. 10-6

90 The RSA Pin Attributes can be set for Alpha/Numeric Fixed Pin Length Numeric Fixed Pin Length Alpha/Numeric Varying Pin Length Numeric Varying Pin Length RSA Pin Length The RSA Pin Length can be set for a range between 4 through 8 characters. The default setting is a minimum length of 4 and a maximum length is RSA Next Pin Mode The RSA Next Pin Mode denotes the number of times that an incorrect pin can be entered before the Next Pin Mode takes place. When this happens, the caller will be prompted for the next pin appearing on the RSA Token. The default setting is RSA SecurID Enable Files The RSA SecurID Enable files enables a CDI device to operate as an RSA SecurID authentication device. There must be an RSA Enable File for each device that is to be RSA SecurID enabled. The RSA SecurID Enable Files screen displays the total number of licenses, the number those are available, and the number used. New RSA Enable Files are added by clicking on the Add Device Licenses to Database button. After you add a license(s), the values displayed can be updated immediately by clicking Add Device License to Database. 10-7

91 RSA SecurID Enable Available is the number of RSA SecurID files unassigned. RSA SecurID Used in the Database is the number of RSA SecurID files assigned. RSA SecurID Enable Limit is the number of RSA SecurID files that are allowed in this DDM System. Adding additional RSA SecurID files can expand the Enable Limit. These can be obtained by contacting CDI Add RSA SecurID Enable Files Click the Add RSA SecurID Enable Files button to add RSA SecurID files to the main RSA SecurID Enable file located in the MultiPoll/License file defined path. This is defined in the Database Master Administrator List DDM Log Files Purging Setup DDM log files, including the Audit log and the RealTime log, can be deleted automatically after a specified number of days. Enter the number of days the files are to be kept. Files are deleted after the number of days specified and cannot be recovered. Valid entries are from 1 to 365 days. You can also manually purge the logs by clicking the Manual Purge DDM Log Files. Click OK to continue. 10-8

92 10.8 Define SNMP Events This screen enables you to specify the SNMP Manager s address(es) to which messages initiated by CDI devices will be sent. SNMP Manager s IP Address 1: IP Address of the first SNMP Trap Receiver that you want the traps to be sent to. SNMP Community Name 1: The Community string ( password ) that the first trap receiver uses to validate traps. SNMP Manager s IP Address 2: IP Address of the optional second SNMP Trap Receiver that you want the traps to be sent to. SNMP Community Name 2: Community string that the optional second trap receiver uses to validate traps. SNMP Manager s IP Address 3: IP Address of the optional third SNMP Trap Receiver that you want the traps to be sent to. SNMP Community Name 3: Community string that the optional third trap receiver uses to validate traps. SNMP Version: Select the version of SNMP trap that is being sent. SNMP Event List: A list of all the possible SNMP traps that can be generated. SNMP Defined Events box displays a list of possible SNMP events that can be monitored. To select an event that will be monitored, click on the event and then click >>. The event will then be listed in the SNMP Defined Events box. The events in the Defined Events box are passed on to the SNMP manager. To move a Defined Event back to the Event List, select the event, and then click the <<. To delete an event, click Clear. 10-9

93 10.9 Setting up Multiple DDM Polling Multi-Polling allows you to set up polling for other PC s running the DDM application. Only a Master Administrators can access this option (see DB Administrator List). Click Settings and select the Multiple DDM Polling Setup option. When the Multi-Poll Settings screen is displayed, the DDM will search for the file of DDM Poll Station names and populates the DDM Poll List box with the Poll Station names. The MultiPoll files are located in the MultiPoll/License file path defined in the DB Administrator List. The name of the computer must be used as the DDM poll station name. There can be up to eight DDM Poll Stations MultiPoll\License File Path DDM SQL only The file path to the location of MultiPoll files and all License files can be defined or changed in the Change Multipoll Licenses File Path. If the path is known, it can be inserted in the window. If the path is not known, click the Browse MultiPoll\License File Path box to view storage devices and folders to locate the file. NOTE: This only applies to the DDM SQL version DDM Polling Stations The Multiple DDM Polling screen displays the Station DDM Poll list and allow you to select to poll by groups or by devices. Click the Properties Bar to display the Setup properties for the DDM Adding Poll Stations Adding Poll Stations lets you add a DDM polling station to the list. A maximum of eight DDM Poll Stations can be added

94 Click on the Add Station bar to display the Add/Edit DDM Poll Station List screen. Type in the names of the computers you want to add in the DDM Poll Station field, and then click OK. The Select Groups (for the computer name that was added) screen is displayed. Depending on the Poll Type selected, either the Select Groups to Poll or the Select Devices to Poll screen is displayed Select Groups to Poll From the Select Groups to Poll list, highlight the Groups you want polled by this computer and click on >> to transfer them to the Group Select window. Groups can be removed from the Selected Groups list by highlighting them and clicking <<. When you have completed your selections, click OK to place the groups in the Group List for that computer. A message similar to the one below will appear informing you that the computer must be restarted for the polling process to begin Edit a Station To change the name of a Station, click on the Computer name then click Edit. Enter the new name Deleting a Station To delete a Computer Station, click on the Computer name then click Delete. When deleting DDM Poll Station names from list, the associated computername.pol file will also be deleted from the MultiPoll/License file path DDM IP Dialout List The IP Dialout List is a list of Client Encryptors (UniGuards in client mode) with internal IP cards that can be used by the DDM or SSM to contact remote devices in the field using IP Dialout Communications. The DDM or SSM will connect to the particular client via a network connection, take control of its internal modem, and dial out to a remote device. This list is sorted by client encryptor that has not been used the longest. When a client encryptor has been used, it goes to the end of the list. Non-CDI devices that have IP Dialout capability, such as Cisco Routers used as Terminal Servers, can be added in the list. To display the list, select DDM IP Dialout List from the Settings menu

95 Each entry in the list contains a Device Name and an IP Address/Port Number that the DDM can use for IP Dialout communications. All items displayed in blue are CDI devices set to be used as IP Dialout connections. (See Device Properties). All non-cdi devices are listed in black type. From this screen, you may Add, Edit, Delete, and Select Devices from Database. All CDI device items in the list may only be viewed; they cannot be modified from this screen. IP Dialout Expiration Period is used in conjunction with the dialout process. If the IP Client device cannot be connected to during the start of the IP dialout process, the DDM will use this value to determine if the client device should be put into an ALARM state. If the time stamp of the client (last time it was successfully connected to) plus the IP Dialout Expiration Period is less than the current time, this client device will be into an ALARM state. This will alert the user that there is a problem with IP Client device. This value is in minutes. 0 disables this feature Adding a non-cdi device The Add Device button only applies the non-cdi Devices and allows non-cdi devices to be added to the IP Dialout list

96 Device name: A name that will help the user define this device. IP Dialout address: The correct IP address of the device. Extra AT commands: Enter AT command Edit a non-cdi Device The Edit Device button only applies the non-cdi Devices. This allows the Device name, IP address, and Extra AT commands of the non-cdi device to be changed Delete Device You can remove both non-cdi and CDI devices from the IP Dialout list. After you select a device to delete and click the Delete button, you will be prompted to confirm your selection

97 When CDI items are deleted from the list, the IP Dialout Connection box in the Device Properties screen for that device is unchecked Adding CDI Devices to the IP Dialout You can add CDI devices to the IP Dialout List that have a valid IP address but have not been set for IP Dialout connection. 1. Click the Select Devices From Database button. A list of UniGuard devices in the system that have a valid IP Address and are not set to be used as an IP Dialout connection are displayed (Devices Available list.). 2. To select devices for IP Dialout communications from the Devices Available list, highlight the device(s). Click >> to move the selected device(s) to the Devices Selected list. 3. Click the OK button to exit the window. The selected devices will now appear in the IP Dialout list. The DDM can now communicate with the device using IP Dialout Alarm Alert List The DDM Client has the ability to alarm alerts when the DDM is programming (communicating) devices. You may add, edit, or delete the addresses to which selected alerts are sent. A maximum of 25 users can be added to the alarm list

98 Enabling the Alerts feature To enable this feature, check the Enable this DDM Client to send Alarm Alerts box. The DDM Client Information window is displayed. The l information displayed in this window is used by the DDM to send alarm alerts. Users must already be listed in the Alarm Alert list for the DDM Client to send alerts to these users. For information about adding users, see Adding an User. This window is the information needed for this DDM Client to send out alarm alerts. SMTP Outgoing Server name and SMTP Port number (usually 25) parameters can be found in your Mail Account properties (ex. Microsoft Outlook or Netscape Mail). Enable SMTP Authentication: If this is enabled (checked), then you will need your User Name (which can be found in your Mail Account properties) and account password. The password will be displayed as asterisks and is saved in encrypted format. If the Enable SMTP Authentication checkbox is not checked, then the Username and Password fields are not used. The DDM Client will try to connect to the SMTP Server without security

99 Whether or not the DDM Client can connect to the SMTP server is dependent on the SMTP server. Some SMTP servers will allow this and others will not. It is depended on the SMTP server. Your address can also be found in your Mail Account properties. The address format should be the same as displayed in you address book. User name followed by < followed by the actual address User Properties users are added and user properties are edited in the Edit User screen. Enter the User Name and Address. From the Alarm List, select the alarms that are to be ed to the user Adding an User In the Add User screen, enter the username and address at the prompts. The Alarm list displays all alarms that may be selected. Click to select an alarm. Move this alarm to the Selected List by clicking the arrow pointing to the Selected List box. After you have finished selecting alarms, click OK

100 To remove an alarm from the Selected List, highlight the Alarm and click the arrow pointing to the Alarm List box. Click OK to continue. These Alarm events occur in the process of communicating with CDI devices. To be able to alerts, the Alarm type must be defined in the Alarm List. Example For example user John Doe1 has the following events defined. 1. User ID/Password Error 2. RSA Token Expired And user John Doe2 has the following events defined. 1. User ID/Password Error 2. Connected to an Invalid Device UniGuard. And user John Doe3 has the following events defined. 1. RSA Token Expired 2. Connected to an Invalid Device UniGuard. This DDM Client sends a manual Reset Device or Program Device command to UniGuard device. When retrieving the audit trail from this device, a User ID/Password Error event is received. An will be sent to John Doe1 and JohnDoe2. 11/11/ :11:00 Device Name User ID Port No. User ID/Password Error Then an RSA Token Expired event is received.. This DDM Client will send out an to John Doe3 and JohnDoe1. 11/11/ :11:00 Device Name User ID Port No. RSA Token Expired Alerts when Multiple Devices are Programmed When multiple devices are programmed, the DDM builds separate files for each defined user. As each event is processed, it will append the defined event to the appropriate file. Multiple devices are programmed when any of the following options is selected: Reset Group Program Group MultiPoll Programming Program All devices 10-17

101 Program Failed to Contact List After all the devices are programmed, s are sent to the appropriate users. John Doe1 11/11/ :11:00 Device Name User ID Port No. User ID/Password Error 11/11/ :11:00 Device Name User ID Port No RSA Token Expired John Doe2 11/11/ :11:00 Device Name User ID Port No. User ID/Password Error John Doe3 11/11/ :11:00 Device Name User ID Port No. RSA Token Expired After sending these s, the DDM sends a list of the devices the DDM could not contact to all users Display DDM Registration Form This displays the DDM Registration form. You may or print the form. This is used only for update information and not as a sales tool SSM Setting SSM is for NOC (Network Operating Center) and has access to the DDM Databases. It is used to contact the remote devices by modem, network, IP dialout, or serial communications). When connected, the user will authenticate to the remote device and can access its host applications DDM Radius Service This option enables you to set up Radius server services using the Service Install Wizard Export DDM Database to XML File This option allows you to do the following: Export the DDM database to an XML File. Extract device information for all devices in the database into an XML file for importation into a spreadsheet (such as Excel spreadsheet). You will need to enter a filename and select the folder in which the file is to be saved

102 11 PROGRAMMING DEVICES Whenever a change has been made to the DDM database, the databases of remote devices need to be updated. Changes to the database include the addition, modification, or deletion of users, device configuration, and the addition of new devices. This section describes how to do the following: Reload/Update all devices, devices of a group, or a single device Update the firmware Telnet to a device (for devices that have an IP card) Update the firmware of the IP card Configure the IP card of a device View the status of a device Display DDM real-time log entries for the device and display audit information for a device Program menu The Program menu lists the options to program, reset, clear and telnet to devices as well as options for updating the time and displaying audit logs. The options available depend on whether you have clicked on Group List, a group name, Devices listed under group list, or on a specific device. 11-1

103 Program-Reload Device: Clears the memory of the device then re-programs it with all the settings in the device record information The device record is all the information, parameters, settings, and properties that the DDM stores about a device.. Program-Update Device: Updates the device by adding any changes configured in the device record since the last time the device was programmed. Program Group: Programs all devices in the selected group. Program Flash For Selected Device: Programs the firmware of the selected device Program Flash For Selected Group: Programs the firmware of all devices in the selected group. Program All Devices: Programs all devices in the system with the any changes to the DDM database since the last update. Telnet To Device: Opens a Telnet Session to a device with an internal IP Card Reset Group: Clears then re-programs all the devices in the selected group. Program Flash Device s IP Card: Programs the firmware of the internal IP of the selected device Program Flash SSE Device: Programs the firmware of the selected SSE device. Program Device Contact List: Programs all devices in the Not Contacted List Configure Device s IP Card(s): Configures the internal IP Card of the device when using Network Communications. When any other communication mode is used, this option will act like a normal program device Status: Displays the Program-Update to-do list for all devices in the system Display DDM RealTime Information For Device: Displays the real time information for selected device Display Audit Information For Device: Displays the audit information for the selected device Update Device Time: Resets the date and time of the device. Program Group Flash Devices IP Card: Programs the Firmware of the IP Card for all devices in the selected group. Test Device s Internal Modem by Network: Tests the internal modem by connecting to the device via network communications. Clear Device: Clear all security credentials (system password and system key) from the device. The device must then be reprogrammed before it can be accessed. 11-2

104 11.2 Programming Devices Overview When the database is modified or a device is added, the devices need to be programmed with information from the DDM computer database. The device may be reloaded with information from database of the DDM computer or a device may be updated with any information that is new. You may choose to program all devices, all devices of a group, or a single device. After you select the appropriate option, a series of screens are displayed that provide you with the status of the procedure. The first screen is the Call Status screen. You may stop the process by clicking Hangup. Several informational screens will display after this screen. When the programming of the device or devices has been successfully completed, the message Successfully Programmed: is displayed. If the operation is not successful, a popup window with an error message is displayed. An entry in the Audit Trail log will indicate the success or failure of the operation Program-Update Device The Program-Update Device option enables you to update the database of a single device with any changes to the device record since the last time the device was programmed. 1. Under Group List, click the name of the group that contains the device to be updated. A list of devices is displayed in the right pane. 2. From the list, select the name of the Device to be updated. 3. Click Program in the Menu Bar. Select Program-Update device. An alternative method of updating a remote device is to click on Devices in the group to which the device belongs. The device list displays. Highlight and then right-click the device name. From the menu displayed, select Program-Update. 11-3

105 Program-Reload Device Program-Reload Device clears a single device and then reprograms it with the information in the device record, including device, user, and client information. Program-Reload is selected when you a programming a new device, or device that has been cleared. 1. Under Group List, click the name of the group that contains the device to be reloaded. A list of devices is displayed in the right pane. 2. From the list, select the name of the Device to be reloaded. 3. Click Program in the Menu Bar. Select Program-Reload Device. An alternative method of clearing and reprogramming a remote device is to click on Devices in the group to which the device belongs. The device list displays. Highlight and then right-click the device name. From the menu displayed, select Program- Reload Program Group Program Group lets you program each device of a selected group. Based on the changes made to the database residing on the DDM PC, Program Group adds and deletes users from the database of each device of the group. Program Group does not clear the default parameters of a device; it updates the devices with the changes since the last time the devices were programmed. 1. Under Group List, select the Group Name. 2. Click Program in the Menu Bar. Select either Program Group Reset a Group Reset Group clears all devices in the selected Group to the default settings, and then programs each device with the date and time, system options, port options, and the client ID list (if it is not a client). 1. To reset a Group, select the Group in the Group tree list. 2. Click Program in the Menu bar and select Reset Group. A message will be displayed requesting a confirmation of the Reset. 11-4

106 11.4 Programming Flash for a Selected Group Select this option to program the flash memory of all devices in the selected Group. To program the flash memory, the DDM computer sends a hex file to all devices of the selected group. 1. Select the Group from the group tree list in the left pane. 2. Click on Program in the menu bar. 3. Select Program Flash for the group Programming Flash for a Selected Device Select this option to program the Flash memory in the selected device. This procedure loads a hex file from the DDM computer. 1. Click on the Device Name in the right pane. 2. Select Program from the menu bar. 3. Select Program Flash for Selected Device from the pull down menu. The Hex file list will be displayed. 4. Select the HEX file to be loaded into the device. UniGuard devices: the file should be named Ugrdxxx.hex where xxx = the version (ex 7.01). Port Authority devices: the file should be Paxxx.hex, where xxx = version (ex 1.03). MultiGuard devices: the file should be MG04xxx.hex, where xxx is the version number (ex. 5.02) Program All Devices To program all devices, click on Group List in the left pane. From the Program menu, select Program All Devices to update each device in the group with the changes since the last update. 11-5

107 11.7 Telnet to Device To telnet to a device, click on the Devices icon of the Group to which the device belongs and select the device from the list. From the Program menu, select Telnet to Device. A telnet connection to the selected device will be established Status To display the Device Spooler Status log, click Status. The Device Spooler Status lists the Program tasks to be completed. The entries will be automatically deleted from the lists as the programming tasks are completed. To display this log, select Status from the Program menu Program Device Contact List Select this option to display a list of all devices that have not been contacted. 11-6

108 11.10 Configure the IP Card of a device Select this option to configure the IP card of a device when using Network Communications. In the right panel, click to highlight the device name. Once the device name has been highlighted, select the Configure Device s IP card option from the Program menu. If the communications mode is set to Network, then only the IP card is configured. If any other communication mode is selected, then the device is reprogrammed as if Program-Update device was selected. If a communication mode other than Network communications (modem, serial port, IP dialout) is used, then this option acts like a Program-Update Device option. A series of informational screens will be displayed. If the programming is unsuccessful, a pop-up window that displays a failed to connect to device message will be displayed DDM Programming a Remote SSE using Modem Communications To program a remote SSE, the DDM dials out to a SST Terminal that has an attached SSE device. 1. Highlight the SSE device from the DDM Client List view. The Communication type for this device should be set for Modem Dialout (check the SSE device properties). There should also be a dialout modem number defined in this SSE device s properties (check the SSE device properties). 2. From the SST Terminal, connect using the Direct To Com Port communication type with the correct Com port selected. This Com port must have a modem connected (internally or externally). 11-7

109 3. From the DDM, select the Program from the menu bar and then Program-Reload device from the popup menu. 4. The DDM will then dial out to the remote SST that has an attached SSE. After connecting to the SST, the modal popup windows on both the DDM and SST will indicate if the SSE device was program successfully (Successful Communication with CDI SST Terminal) DDM Flash Programming a Remote SSE using Modem Communications To flash program a remote SSE, the DDM uses modem communications and dial out to a SST Terminal that has an attached SSE device. Highlight the SSE device from the DDM Client List view. The Communication type for this device should be set for Modem Dialout (check the SSE device properties). There should also be a dialout modem number defined in this SSE device s properties (check the SSE device properties). 1. From the SST Terminal, connect using the Direct To Com Port communication type with the correct Com port selected. This Com port must have a modem connected (internally or externally). 2. From the DDM select the Program menu bar. Then select Program SSE Flash from the popup menu. 3. The next window is the Choose Flash Type window. Select the correct Pilot file and SSE Flash file. These files will be used in the SSE Flash process. Then select the Start button to start the SSE Flash process. 4. The DDM will then dialout to the remote SST that has an attached SSE. After connecting to the SST, the modal popup windows on both the DDM and SST will indicate the Flash process status. The DDM will first send the pilot file. After the pilot file was successfully sent, the DDM will send the image file to the SSE. After the image file was successfully sent, both the DDM and SST will both display that the SSE was successfully flashed. The DDM will then reprogram the SSE device. This procedure may take from 5 to 10 minutes to complete Displaying the DDM Real Time Information for a Selected Device To select the device for which you want to display DDM Real Time Information, click Devices in the Group containing the Device. From the list displayed, select the device. From the Program menu, select Display Real Time DDM Information for Device. 11-8

110 . When the Display DDM Real Time Information For Device is selected, the DDM Real Time Log for that device will be displayed. From this screen the Log can be printed, sent to a file, or deleted Displaying the Audit Information for a Device Audit information for a device includes each event that occurred to a device, the date and time of the occurrence, the port and other information. Failures and errors are listed in red. The Audit Information log may be printed, sent to a file, or deleted. Display a list of the devices of a group by clicking on Devices icon in the Group containing the device to be selected. From the list displayed, select the device. From the Program menu, select Display Audit Information for Device. 11-9

111 The information includes each event that occurred to a device, the date/time that the event occurred, the port, and other information. Note that failures and other errors are listed in red Program Group Flash Devices IP Card Select this option to program the Firmware of the IP Card for all devices of a particular group that have a particular card type. Select the IP card type from the window displayed. For example, if a 10 MEG IP card is selected, all devices of the group that have a 10 MEG IP card will be programmed. If there are devices that have cards of a different type, you will need to repeat this process

112 11.16 Clear Device This option clears all the security credentials from the device it must than be reprogrammed before it can be accessed. To reprogram a cleared device, select Program-Reload

113 12 REPORTING and MAINTENANCE The DDM generates system, client, and device reports automatically. This section describes the following: Switching to Report view Creating a report template Deleting a template Deleting an audit trail Purging logs 12.1 Report View To access the Reports section, click on View on the Menu Bar. From the menu displayed, select Report. Select All under Report to display all audit trail information in the database. Template list Reports are displayed in the View pane The left window lists the existing templates. The right window displays the actual System Log. System Log, Device, and Client reports are automatically generated by the DDM. 12-1

114 All includes all device/user interactions in the report. System Log lists any modifications to the DDM database. Device Report lists events that occurred to devices. Client Report lists events that occur to client devices Report Templates A Report Template is a group of parameters that define the information displayed in an Audit Trail Report. An unlimited number of templates can be designed to display the data required. Templates may be created, edited, and deleted. To create a new template, highlight "Audit Trail Template List" in the left window. Click Template on the menu bar and select Add from the pull down window. The Audit Trail Configuration window is displayed. Template Name Assign a name for this template. To display all devices, all Users, and all events in the Selected list boxes, double click on Display All Lists. Date and Time Fields Select the date format as MM/DD/YYYY or DD/MM/YYYY. 12-2

115 Enter the date/time range for which this report is to be compiled. The format for the date and time is: MM/DD/YYYY HH:MM. AM/PM. Leading zeros are required Group Name The left window shows all the groups in the database. To transfer a group to the "Selected" window for this report, double click on the group name. To de-select a group, double click on the name in the "Selected" window. To include all available groups in the report, double click on "All Groups". This method of selecting applies to all other report parameters for the template. Device Name The left window shows all the devices in the groups. Transfer the devices to be included in this report to the selected Device Name list on the right. User ID All the users assigned to the selected groups are displayed on the left. Transfer the users whose activities are to be included in the report to the selected User ID list on the right. Audit Trail Event The Audit Trail Event List (left window) shows all events, which can be monitored. Transfer the events desired for this report to the Audit Trail Event List (right) window. List of Audit Trail Events A complete list of Audit Trail Events is listed in the Appendix. Edit an Existing Template To edit an existing template, double-click on the template name or highlight the name. Click on Template in the Menu Bar and then select Display/Modify from the pull down window. Delete an Existing Template To delete an existing template, double-click on the template name or highlight the name. Click on Template in the Menu Bar and select then Delete from the pull down window. Displaying an Audit Trail for a Template To display an Audit Trail for a specified Template, click on the Template name in the Report tree view. The selected Audit Trail will be displayed in the Report List view Audit Trail Maintenance Maintenance of the Audit Trail consists of the following tasks. Setup 12-3

116 Archiving Purging Purging the Audit Trail To purge an Audit Trail, click on Maintenance in the Menu Bar and select "Purge" from the pull down window. The Purge pull down window will be displayed. This will allow all Audit Trail information prior to the displayed date to be purged from the database Archive DDM ODBC Databases To archive (Backup) the DDM ODBC Database, click on Maintenance in the Menu Bar and select " Database Archive " from the pull down window. The Database query message box will be displayed. Select Yes to archive the database. You will then be asked to select the folder in which the database will be archived. The archived databases (ddmdatammddyy.mdb and ddmlogmmddyy.mdb) will be copied to the selected folder Purging the Audit Trail An audit trail may be purged automatically or manually. The DDM SQL version can automatically purge the Audit Trail and the SQL Server utilities will archive (backup) the DDM SQL databases. The DDM ODBC version can automatically purge the Audit Trail as well as archive the database automatically or manually. Automatic Purge of an Audit Trail Setting up automatic purging of an Audit Trail consists of defining the number of days that an Audit Trail/ Real Time DDM Real Time Log will be maintained providing the Automatic Purge window is checked. Example: To automatically purge all information over 30 days from the Audit Trail log, set Maintain an Audit Trail to 30 days Manual Purge of an Audit Trail To purge an Audit Trail manually, click Maintenance in the menu bar and select "Purge" from the pull down window. The Purge window will be displayed. This will allow all Audit Trail information prior to the displayed date to be purged from the database. 12-4

117 Purging the DDM Real Time Log The DDM Real Time Log can be manually or automatically purge from the DDM Real Time Log database. Manual Purge of the DDM Real Time Log You must be in Report View to manually purge the DDM Real Time log. Select the Maintenance option and then the DDM Real Time Log Purge option. The Manual DDM Real Time Log Purge screen is displayed. Set to maintain the DDM Real Time Log on this screen. The range is from zero (0) to 365 days. If zero (0) is selected, only data from the day is saved. All other days will have been purged. If the number of days has been set to 29, only the last 29 days of data will remain in the log. Automatic purge of the DDM Real Time Log The automatic purge process is accomplished from the Report View. Select the Maintenance option and then Maintenance Setup. The Maintenance Setup screen is displayed. 12-5

118 Specify the number of days to keep in the log, and the time that purging of the log is to take place. The default is 30 days for each and the default time is (HH.MM) Exit the Report Section and Return to the Devices/User View Click View on the menu bar to exit Report View. To switch from the Report View to Device/User view, click Device/User List. 12-6

119 13 DDM POLLING SERVICES This section describes how to set up and edit a polling service. Polling services are applicable only to DDM SQL About Polling Services DDM Polling Services can have a maximum of five polling services running on a Windows PC (preferably a Windows Server where the DDM databases exist). The DDM Monitoring Service will monitor these polling services schedules. Upon reaching a pre-defined schedule it will automatically start the defined polling service. The polling services only operate with DDM SQL database connections (SQL Server). These services can be started manually or automatically at a scheduled date-time. The DDM Polling service names are listed below: DDMPollService#1 DDMPollService#2 DDMPollService#3 DDMPollService#4 DDMPollService#5 13-1

120 13.2 Editing a Polling Service To edit a service double-click the service or right-click the service and select Edit Service from the popup menu. The Service Properties screen will be displayed. 13-2

121 The DDM Polling Services 1 thru 5 Start Type are initially set to Manual Start. When you set up a polling service, you can change the Start Type to Auto Start, Manual Start, or Disabled Start. Auto Start will automatically start the service on PC boot up. The DDM Monitoring service s start type should be set for Auto Start Account Types There are two types of accounts: System and User. System Account The system account uses the local system account for the service. User Account User account associates a polling service with a user. This account will need a password and confirmation of the password. 13-3

122 The User Name is the name of a user under which the service shall run. This account must have the advanced user right enabled, which is done through the Control Panel of the DDM PC. (Log on as a service (found in Control Panel\Administrative Tools\Local Security Policy)). The following format should be used: <Domain>\<user> (Example: EuroS2Team\jko). If the domain is predefined as the local machine, only the user name is necessary. (Example: \jko). If the services are not running on the Windows Server where SQL Server (DDM) databases are located, you should use a user account not the local system account. Enabling the Local Path Logging option will log information of the service's process to a pre-determined log file on the local path. This option is mainly used for debugging purposes. For example, ascertaining why the service does not start. You can view the appending log file information by clicking the View Log button. 13-4

123 The Interact with Desktop option can only be used for local system accounts. This should be disabled since there will be no interaction by the desktop with the polling services Polling Modes Poll all devices in the database. Select this option to poll all devices of all groups Poll by selected groups. Select this option to choose the groups to be polled by this service, When selecting this option you will be ask to log into the DDM SQL Server databases. You must have the proper credentials to log in successfully. After successfully logging on, the Select Groups to Poll screen will be displayed. Select the appropriate group(s) from the Groups Available list to the Groups Selected list. Click Ok to save your selections and exit. 13-5

124 Poll by selected devices. The Poll by selected devices option lets you select the devices to be polled by this service only. After you select this option you will be ask to log into the DDM SQL Server databases. You must have the proper credentials to log in successfully. 13-6

125 If modem dial out (not IP dialout communications) communications is used for polling, select a modem driver to be used by the service must be selected. Click the Modem List button and select the appropriate modem driver from the list. Click OK to save your selections and exit Installing a Polling Service You must be logged into the DDM SQL databases to install the service. The service needs to have the proper credentials to access the DDM SQL Server database for polling access. The Service Properties screen is displayed. In this screen, you can set the Start type (automatic or manual), Polling Mode, logging, up automatic polling. 13-7

126 Scheduling a Service Click the Scheduler button to schedule the service to start at a pre-defined date-time. To enable scheduling, the service s schedule type must be set for the option with Scheduler. 13-8

127 In this example, the polling service will start every seven days at 1:00 AM. The next time the polling service will start is November 11, 2008, which is a Tuesday, at 1:00AM. The frequency is measured in days. The Current Cycle is the number of days that have passed without the scheduled start time being reached. Polling service installation To install a service, click the Install Service button on the Service Properties screen. 13-9

128 DDM Polling Service #1 has been installed and the DDM Monitoring service is installed and running Stopping or Deleting a Polling Service To stop a service that is running (Service Status displays running), right-click on the service in the list and select Stop Service. To delete a listed service, right-click on the service name and select Delete Service

129 14 TROUBLESHOOTING Some users are not reachable by the DDM. Check that the subnet mask is set correctly. Device Properties Primary Network Properties The device is unable to negotiate a PPP session. Verify that the PPP address is within the local network segment. Device Properties Primary Network Properties No heartbeat messages or alarms are being received even though the heartbeat attributes have been defined. The DDM must be enabled for real time logs. Verify that the device has an internal IP card. The device status is INUSE but the device is not being used. Can I clear the device? When a device is being contacted by the DDM, the device will have a status of INUSE. If the device is not being used and the status still reads INUSE, click on the status and select Clear Device Status to IDLE. 14-1

130 APPENDIX A Cabling Diagrams Port Authority Master-Slave Cabling Diagrams The cable connection shows a Master Port Authority connected to two Port Authority Slave units. The interconnecting cables, Part # CBL CAT5 Yellow, are yellow to distinguish them from other cables can be obtained from CDI. NOTE MAINT (Maintenance) port is changed to Serial Port (this is a running change). MultiGuard Master-Slave Cable Connections Using the Master/Slave function can expand the MultiGuard up to 36 ports. One Master an up to eight Slave MG-400 units. The DDM software allows for MultiGuard to be defined as Master or Slave. The connections are from a Maintenance Port to a Link Port. The cable connection shows a Master MultiGuard connected to two MultiGuard Slave units. The interconnecting cables, Part # CBL MG-400 LINK, are orange to distinguish them from other cables can be obtained from CDI. Power Power Control Modules TELCO MAINT LINK Communication Ports MODEM HOST MODEM HOST MODEM HOST MODEM HOST VAC CT MultiGuard Power Power Control Modules TELCO MAINT LINK Communication Ports MODEM HOST MODEM HOST MODEM HOST MODEM HOST VAC CT MultiGuard Power Power Control Modules TELCO MAINT LINK Communication Ports MODEM HOST MODEM HOST MODEM HOST MODEM HOST VAC CT MultiGuard MultiGuard, Master/Slave connections

131 APPENDIX B MultiGuard Port Options Device Property, MultiGuard Defined Ports Options There are two different types of MultiGuard devices: MG-400 and MG The MultiGuard 400 contains four (4) ports and the MultiGuard 1600 contains sixteen (16) ports. The Assign MG Slaves bar will be displayed for a Master MultiGuard-400. When this bar is activated the Slave device list from the database dialog list will be displayed. The MG-400 slaves that are displayed in this list, must be defined in the same group as the Master MG-400 device and have the same device mode as the Master MG- 400 device This will allow the attaching of slaves to the Master MultiGuard-400 device. This remainder of this screen is for setting communication parameters for each of the MultiGuard ports, sixteen for the MG-1600 and four for the MG-400. The display will only be available if MultiGuard was selected as the "Device Type" on the Device Info screen. Additional information can be displayed by moving the scroll bars. These options are described in the MultiGuard manual. MultiGuard Port Properties Each Host Port (1 through 4 for the MG 400 and 1 through 16 for the MG 1600) can be assigned: Baud rate (9600), Data Bits and Parity (8/no parity), Security Mode (Secure, Bypass). Host Dialout (Disabled, Enabled) Select Line Type (Full, Half Duplex). Configure Type (This port, All ports) Note: The underlined are Defaults

132 APPENDIX C AUDIT TRAIL EVENTS

133 1. Invalid System Logon 2. Network Connect Start 3. IP Connection 4. User Dates Error 5. Ring No Answer 6. Incomplete Call 7. Turn On Power Port 8. Turn Off Power Port 9. Network Connect Ended 10. No Modem Hangup 11. Modem Not Responding 12. User ID/Password Error 13. User Already In Use 14. Timeout During User Logon 15. Pager Input Error 16. Calculator Input Error 17. Unable to Connect to Host 18. Host Connect End 19. Modem Connect End 20. User Logon 21. Connect to Host 22. Call Started (Carrier Detected) 23. Call Started 24. Call End 25. Host Down 26. Host Up 27. Host Accessing Modem 28. Random to Pager 29. Redialing User 30. Password Updated 31. Pager User Call Incomplete 32. Connect to Port 33. Disconnect from Port 34. User Logout 35. Device Updated 36. Device Cleared and Updated 37. Database Error During Communication 38. Failed to Connect to Device 39. Communication Error 40. Device Successfully Programmed 41. Communication Dropped 42. Purged Audit Trail 43. Failed to Purged Audit Trail 44. Successful Flash Update 45. Failed Flash Update 46. Network Disconnect 47. Device Powered Up 48. Device Reset 49. Card Removed or Bad 50. Card Replaced 51. Unable to Complete Call 52. RSA Expired Token 53. New Pin Mode 54. User Locked Out 55. Next Pin Mode 56. Send New Pin 57. No DTR-RTS on Host 58. No RTS on Host 59. Invalid Key 60. Invalid Encryptor 61. Number of Slaves Connected 62. IP Initiated a Call 63. IP Dialout 64. No Telco Connection for Modem 65. Device Not Responding 66. DTR on Host 67. No DTR on Host 68. RTS on Host 69. DDM User Logged On 70. DDM User Logged Off 71. Added User to DDM DB 72. Modified User to DDM DB 73. Deleted User from Group 74. Deleted User from DDM DB 75. Added Device to DDM DB 76. Modified Device to DDM DB 77. Deleted Device from DDM DB 78. Added User to Group 79. Modified User in Group 80. Unlocked All Records 81. Added Master Administrator 82. Changed Master Administrator 83. Removed Master Administrator 84. Purged Expired RSA Users 85. Error in Purge of Expired RSA Users 86. Connected to an Invalid Device UniGuard 87. Connected to an Invalid Device Port Authority 88. Connected to an Invalid Device MultiGuard 89. DDM Failed: Invalid System Password 90. DDM Failed: Invalid System Key 91. Failed in Programming Users 92. Failed in Programming Encryptor Info 93. Failed to Retrieve Device Audit 94. Line Busy 95. No Dial Tone 96. Access is Denied 97. Error Configuring Primary IP Card 98. Slave IP Flashed Updated 99. Master IP Flashed Updated 100. Device Unable to Write to Master Flash 101. Device Unable to Write to Slave Flash 102. Successful SSE Device Update 103. Invalid SSE Device Update 104. SSE Flashed Updated 105. No User ID or Password Prompt 106. Error Configuring Secondary IP Card 107. AES Engine Flashed Updated 108. Successful DDM Database Backup 109. No Contact From Device 110. Device Is Alive 111. No DTR on Host

134 112. DTR on Host 113. Network Error 114. Remote Closed Network Port 115. Device Closed Network Port 116. Invalid IP Admin ID/Password 117. Failed Master IP Pilot Flash 118. Failed Slave IP Pilot Flash 119. Failed Master IP Image Flash 120. Failed Slave IP Image Flash 121. Successfully Configured Primary IP 122. Successfully Configured Secondary IP 123. Re-Establish Contact with Device 124. Failed in Programming DateTime 125. Failed in Programming System Options 126. Failed in Programming Modem Port Options 127. Failed in Programming Defined Port Options 128. Device is Running in Re-Flash Mode 129. Device Failed To Reboot After Re- Flash 130. Device Failed During Flash Download 131. No Response To Flash Ping Message 132. No SAM Client Reply 133. Invalid SAM Client ID 134. Failed SAM Client Authentication 135. Successful SAM Client Authentication 136. Device Failed During Boot Loader Flash Download 137. Local Client No Socket Connection 138. Local Client No Dial Tone 139. Local Client Line Busy 140. Device is Busy 141. Device is in Alarm Mode 142. Start of Polling Process 143. End of Polling Process 144. Failed in Flashing Primary IP card 145. Invalid System Logon 146. Network Connect Start 147. IP Connection 148. User Dates Error 149. Ring No Answer 150. Incomplete Call 151. Turn On Power Port 152. Turn Off Power Port 153. Network Connect Ended 154. No Modem Hangup 155. Modem Not Responding 156. User ID/Password Error 157. User Already In Use 158. Timeout During User Logon 159. Pager Input Error 160. Calculator Input Error 161. Unable to Connect to Host 162. Host Connect End 163. Modem Connect End 164. User Logon 165. Connect to Host 166. Call Started (Carrier Detected) 167. Call Started 168. Call End 169. Host Down 170. Host Up 171. Host Accessing Modem 172. Random to Pager 173. Redialing User 174. Password Updated 175. Pager User Call Incomplete 176. Connect to Port 177. Disconnect from Port 178. User Logout 179. Device Updated 180. Device Cleared and Updated 181. Database Error During Communication 182. Failed to Connect to Device 183. Communication Error 184. Device Successfully Programmed 185. Communication Dropped 186. Purged Audit Trail 187. Failed to Purged Audit Trail 188. Successful Flash Update 189. Failed Flash Update 190. Network Disconnect 191. Device Powered Up 192. Device Reset 193. Card Removed or Bad 194. Card Replaced 195. Unable to Complete Call 196. RSA Expired Token 197. New Pin Mode 198. User Locked Out 199. Next Pin Mode 200. Send New Pin 201. No DTR-RTS on Host 202. No RTS on Host 203. Invalid Key 204. Invalid Encryptor 205. Number of Slaves Connected 206. IP Initiated a Call 207. IP Dialout 208. No Telco Connection for Modem 209. Device Not Responding 210. DTR on Host 211. No DTR on Host 212. RTS on Host 213. DDM User Logged On 214. DDM User Logged Off 215. Added User to DDM DB 216. Modified User to DDM DB 217. Deleted User from Group 218. Deleted User from DDM DB 219. Added Device to DDM DB 220. Modified Device to DDM DB

135 221. Deleted Device from DDM DB 222. Added User to Group 223. Modified User in Group 224. Unlocked All Records 225. Added Master Administrator 226. Changed Master Administrator 227. Removed Master Administrator 228. Purged Expired RSA Users 229. Error in Purge of Expired RSA Users 230. Connected to an Invalid Device UniGuard 231. Connected to an Invalid Device Port Authority 232. Connected to an Invalid Device MultiGuard 233. DDM Failed: Invalid System Password 234. DDM Failed: Invalid System Key 235. Failed in Programming Users 236. Failed in Programming Encryptor Info 237. Failed to Retrieve Device Audit 238. Line Busy 239. No Dial Tone 240. Access is Denied 241. Error Configuring Primary IP Card 242. Slave IP Flashed Updated 243. Master IP Flashed Updated 244. Device Unable to Write to Master Flash 245. Device Unable to Write to Slave Flash 246. Successful SSE Device Update 247. Invalid SSE Device Update 248. SSE Flashed Updated 249. No User ID or Password Prompt 250. Error Configuring Secondary IP Card 251. AES Engine Flashed Updated 252. Successful DDM Database Backup 253. No Contact From Device 254. Device Is Alive 255. No DTR on Host 256. DTR on Host 257. Network Error 258. Remote Closed Network Port 259. Device Closed Network Port 260. Invalid IP Admin ID/Password 261. Failed Master IP Pilot Flash 262. Failed Slave IP Pilot Flash 263. Failed Master IP Image Flash 264. Failed Slave IP Image Flash 265. Successfully Configured Primary IP 266. Successfully Configured Secondary IP 267. Re-Establish Contact with Device 268. Failed in Programming DateTime 269. Failed in Programming System Options 270. Failed in Programming Modem Port Options 271. Failed in Programming Defined Port Options 272. Device is Running in Re-Flash Mode 273. Device Failed To Reboot After Re- Flash 274. Device Failed During Flash Download 275. No Response To Flash Ping Message 276. No SAM Client Reply 277. Invalid SAM Client ID 278. Failed SAM Client Authentication 279. Successful SAM Client Authentication 280. Device Failed During Boot Loader Flash Download 281. Local Client No Socket Connection 282. Local Client No Dial Tone 283. Local Client Line Busy 284. Device is Busy 285. Device is in Alarm Mode 286. Start of Polling Process 287. End of Polling Process 288. Failed in Flashing Primary IP card