HELP DOCUMENTATION SSRPM WEB INTERFACE GUIDE
Copyright 1998-2013 Tools4ever B.V. All rights reserved. No part of the contents of this user guide may be reproduced or transmitted in any form or by any means without the written permission of Tools4ever. DISCLAIMER - Tools4ever will not be held responsible for the outcome or consequences resulting from your actions or usage of the informational material contained in this user guide. Responsibility for the use of any and all information contained in this user guide is st rictly and solely the responsibility of that of the user. All trademarks used are properties of their respective owners.
Contents 1. Introduction 1 2. Installing the Web Interface 1 2.1. Installing the SSRPM COM Object... 1 2.2. Installing the Web Interface... 2 2.3. Configuring IIS 6... 2 2.4. IIS 7... 5 2.4.1. Installation... 6 2.4.2. Configuration... 8 2.4.3. Troubleshooting... 12 2.5. Configuring SSL... 12 2.6. Configuring the Web Interface in a DMZ... 14 2.6.1. IIS 6... 14 2.6.2. IIS 7... 15 2.6.3. Troubleshooting... 17 3. Configuring the Web Interface 17 3.1. Config.asp... 17 3.2. ConfigCaptha.asp... 17 4. Web Interface Overview 17 4.1. 4.2. Main Window... 18 Enrollment... 19 4.3. 4.4. Reset Password... 22 Unlock Account... 27 5. Frequently Asked Questions (FAQ) 29 6. Index 30 Copyright Tools4ever 1998-2013 i
1. Introduction This document describes the SSRPM web interface. The chapter Installing the Web Interface covers the installation of the SSRPM Web Interface with Microsoft IIS. The chapter Overview covers the pages that are available with the SSRPM Web Interface. Please note that the Web Interface shipped with SSRPM can be fully customized. Refer to the "COM Object Guide" for a complete description of the SSRPM COM Object used in the Web Interface. 2. Installing the Web Interface This chapter describes step by step how to install the web interface. This document assumes that IIS is already installed and running. The Web interface is installed in three steps: 1. Installing the SSRPM COM Object. First, the SSRPM COM object must be installed on the machine running IIS. 2. Installing the Web Interface. Second, the Web Interface must be copied to a directory on the machine running IIS. 3. Configuring IIS. Last, IIS must be configured so that the web interface can be accessed. 2.1. Installing the SSRPM COM Object The Web Interface uses the SSRPM COM Object to access the SSRPM Service. This COM Object must first be registred on the machine running IIS. This chapter will describe in detail how to register the SSRPM COM Object. 1. Copy the SSRPM COM Object to the target machine. The SSRPM COM Object is installed together with the SSRPM Admin Console and can be found in the directory "C:\Program Files\Tools4ever\SSRPM\COM". There are 2 versions of the COM object: 32-bit and 64-bit. Use the 32 bit version for 32-bit operating systems and the 64- bit version for 64-bit operating systems. The name of the files are "SSRPMCOM.dll" and "SSRPMCOMx64.dll", respectively. 2. Also copy the file 'Register.bat' to the same directory as the SSRPM COM Object. 3. Go to the machine running IIS. 4. Double click on the file 'Register.bat'. If the registration succeeds, the following dialog is displayed: This completes the installation of the SSRPM COM Object. The next chapter will describe how to install the Web Interface on the machine running IIS. Copyright Tools4ever 1998-2013 1
2.2. Installing the Web Interface The SSRPM Web Interface is a set of ASP pages with which a user can enroll into SSRPM, reset his password or unlock his account. This chapter describes how to install the SSRPM Web Interface on the machine running IIS. 1. The SSRPM Web Interface files are installed together with the SSRPM Admin Console. They can be found in the directory 'C:\Program Files\Tools4ever\SSRPM\Admin Console\Examples\Web Interface'. Select all of the files in that directory (including any subdirectories) and copy them to an empty directory on the machine running IIS. Please note that the web interface by default is configured to connect to the SSRPM Service on the same machine as IIS. This behaviour can be changed by editing the SSRPMServer = "localhost" line in the Config.asp file. Change 'localhost' to the computername of the computer running the SSRPM Service. 2.3. Configuring IIS 6 After installing both the SSRPM COM Object and the SSRPM Web Interface, IIS can now be configured to run the SSRPM Web Interface. This chapter describes in detail how to configure IIS to run the SSRPM Web Interface. 1. Go to the Control Panel and click on Administrative Tools. 2. Double click on the 'Internet Information Services (IIS) Manager. The IIS Manager is displayed: 3. Select the 'Web Service Extensions' folder. Copyright Tools4ever 1998-2013 2
4. Right click on 'Active Server Pages' and select 'Allow' from the menu: 5. Right click on the folder 'Web Sites' and select 'New --> Web Site...'. This will display the Web Site creation wizard. 6. Click on 'Next' so that the 'Web Site Descript ion' page is displayed: 7. Enter a description for the web interface and click 'Next'. Copyright Tools4ever 1998-2013 3
8. The following page is displayed: 9. Enter the IP address and the port number that must be used for the website and click on next. 10. The Home Directory page is displayed: Copyright Tools4ever 1998-2013 4
11. Enter the path to which the SSRPM Web Interface files were copied and click on next. 12. The 'Web Site Permissions' page is displayed: 13. Make sure that 'Read' and 'Run Scripts (Such as ASP)' are checked and click on Next. 14. Click on Finish to exit the wizard. To check if the web site is up and running, open a browser and enter 'http://' and the ip address specified in the wizard. If the entered port number is not 80, also specify the port number. (For instance: 'http://192.168.196.30:81') Please note that the finish page of the Web Site Creation Wizard displays that the creation of the web site succeeded or failed. If the creation failed it is possible that another web site is already running on the specified IP address/port Number. In that case restart the wizard and choose another IP address and/or port number. After completing these steps, the web interface is up and running. It is however not secure. Please refer to the next subchapter 'Configuring SSL' on how to install and configure SSL for the SSRPM Web Interface. 2.4. IIS 7 Windows 2008 and Windows 2008 R2 use IIS 7.0 and IIS 7.5 respectively, however IIS is not installed by default. The following section describes the installation process. IfIIS is already installed on the machine, you can go to the configuration section. Please note however that ASP support is required and is added during the installation process. Copyright Tools4ever 1998-2013 5
2.4.1. Installation This section will help you install IIS on the machine. 1. Go to 'Administative Tools' and click on 'Server Manager'. This will open the following dialog: 2. Click on 'Roles' in the navigation tree. Copyright Tools4ever 1998-2013 6
3. Click on 'Add Roles', this will open the 'Add Roles Wizard'. 4. Navigate to the Server Roles. Check 'Web Server (IIS) and click 'Next'. Copyright Tools4ever 1998-2013 7
5. In the 'Select Role Service' dialog check 'ISAPI Extensions' and 'ASP'. If you check 'ASP' first you will be shown the 'Add role services required for ASP' dialog, because ASP requires that 'ISAPI Extensions' installed. If you click on 'Add Required Role Services', it will check 'ISAPI Extensions'. Click on 'Next'. 6. Click on 'Install' to install IIS. 7. Click on 'Close' to exit the 'Add Roles Wizard'. 2.4.2. Configuration After installing both the SSRPM COM Object and the SSRPM Web Interface, IIS can now be configured to run the SSRPM Web Interface. This chapter describes in detail how to configure IIS to run the SSRPM Web Interface. 1. Go to the Control Panel and click on Administrative Tools. Copyright Tools4ever 1998-2013 8
2. Double click on the 'Internet Information Services (IIS) Manager. The IIS Manager is displayed: Copyright Tools4ever 1998-2013 9
3. Select the server name and click on ISAPI and CGI Restrictions: Copyright Tools4ever 1998-2013 10
4. Right click on Active Server Pages to change the restriction (it should be set to 'Allowed'). 5. Right click on the folder 'Sites' and select 'Add Web Site...'. This will open the Add Web Site dialog. 6. Enter all the information and click on 'OK'. Copyright Tools4ever 1998-2013 11
2.4.3. Troubleshooting Handler Mappings In order for ASP pages to be displayed there needs to be Handler Mapping. 1. To check on the handlers, open the 'Internet Information Service (IIS) Manager'. 2. Click on the SSRPM website. 3. Click on 'Handler Mappings'. This will show the following dialog: 4. Make sure that there is a entry listed for 'ASPClassic'. As shown in the example. 2.5. Configuring SSL After the Web Interface has been installed, it can be used to enroll users and reset passwords. It is however not very safe, because all information is send to the IIS Server in clear text. Because of this, all Web Interface Implementations should use SSL to encrypt all information send and received. This chapter will guide you through the process of configuring SSL for the SSRPM Web Interface. 1. Go to the Control Panel and click on Administrative Tools. Copyright Tools4ever 1998-2013 12
2. Double click on the 'Internet Information Services (IIS) Manager. The IIS Manager is displayed: 3. Right click on 'SSRPM Web Interface' and select 'Properties' from the menu. 4. Go to the 'Directory Security' tab: 5. Click on the 'Server Certificate...' button to start the 'Web Server Certificate Wizard'. There are several different methods to finish this wizard and they will not be discussed in this document. Copyright Tools4ever 1998-2013 13
6. After finishing the 'Web Server Certificate Wizard', click on the 'Edit...' button in the 'Directory Security' tab. This will display the 'Security Communications' dialog: 7. Please check the 'Require secure channel (SSL)' checkbox and the 'Require 128 -bit encryption' checkbox. Click on OK when finished. 8. Click on 'OK' to close the web interface configuration pages. After completing these steps, the web interface is secured using SSL. To access the web interface 'https' in stead of 'http' must be used. 2.6. Configuring the Web Interface in a DMZ The SSRPM Web Interface together with the SSRPM COM Object can be configured to run in an DMZ / perimeter network. This chapter describes how to configure IIS to be able to use the Web Interface in a DMZ. Note: There are many possible configurations for a DMZ/perimeter network. The solution in this chap ter is based on a network, that consists of three zones: LAN, DMZ and Internet. The solution provided in this document is written for this type of network, but can easily be modified to be used in other configurations. Note 2: This chapter assumes that the SSRPM web interface has been installed and configured on a machine in the DMZ. Please note: A connection rule in the firewall must be created to allow RPC trafic from the SSRPM COM Object in the DMZ to the SSRPM Service in the LAN. By default the SSRPM Service uses port 37946 (TCP) to communicate with it's clients. 2.6.1. IIS 6 IIS configuration: 1. Create an account in the domain. This account may be a member of 'Domain Guests' only. Copyright Tools4ever 1998-2013 14
2. Create a local account with the same name and password on the machine in the DMZ running the IIS server. (which may also be a guest account) 3. Install the SSRPM Web Interface on the machine in the DMZ. A complete guide on how to install the web interface can be found at the beginning of this chapter. 4. Open the IIS Manager on the machine in the DMZ. 5. Richt click on the SSRPM website and select 'Properties'. 6. Go to the 'Directory Security' tab. 7. Click on the 'Edit...' button in the 'Authentication and access control' box. This will display the following dialog: 8. Check the 'enable anonymous access' checkbox. 9. Enter the username and password of the account that was created in Step 1/2 10. Click on 'ok'. 11. Click on 'ok'. 2.6.2. IIS 7 IIS configuration: 1. Create an account in the domain. This account may be a member of 'Domain Guests' only. 2. Create a local account with the same name and password on the machine in the DMZ running the IIS server. (which may also be a guest account) 3. Install the SSRPM Web Interface on the machine in the DMZ. A complete guide on how to install the web interface can be found at the beginning of this chapter. 4. Open the IIS Manager on the machine in the DMZ. 5. Click on the SSRPM website. Copyright Tools4ever 1998-2013 15
6. Click on 'Authentication', this will result in the following dialog: 7. If necessary, enable 'Anonymous Authentication' by right clicking on 'Anonymous Authentication' and clicking on 'Enable'. 8. Right Click on 'Anonymous Authentication' and click on 'Edit'. It will open the 'Edit Anonymous Authentication Credentials' dialog: 9. Enter the username and password of the account that was created in Step 1/2 10. Click on 'ok'. 11. Close the IIS Manager. Copyright Tools4ever 1998-2013 16
2.6.3. Troubleshooting Persistent -29 error In some environments it is necessary to create an additional local user on the machine running the SSRPM service. This local user needs to have the same user name and password as the local user on the DMZ (IIS) and the domain user. Before trying this we recommend double checking the configuration described above and verifying that all required the ports are open. 3. Configuring the Web Interface The web interface has 2 config files: 1. Config.asp 2. ConfigCaptha.asp 3.1. Config.asp In this file you can configure standard behavior of the web interface. Such as: 1. The location of SSRPM service 2. The port used by the SSRPM service 3. What is the default domain 4. Hide the domain input field 5. Enabling or disabling autocomplete 6. Enabling or disableing the CAPTHA functionality 7. Show account unlock option 8. Override the auto dectection of the user's language and force a specific language 9. Disable test messages for advances authentication 3.2. ConfigCaptha.asp In this file you can configure standard behavior of the CAPTHA. Such as: 1. Use random number, random number and characters or a wordlist 2. Configure the noise levels 3. The minimum length of the CAPTHA code 4. Web Interface Overview This chapter describes which pages are available when using the SSRPM Web Interface. Please note that the provided web pages can be fully customized. Copyright Tools4ever 1998-2013 17
4.1. Main Window The main window 'Default.asp' is displayed if the user browses to the Web Interface. The user is presented with three options which are described in the following chapters: Enroll into SSRPM. Allows a user to enroll into the SSRPM Program. Reset your password. Allows a user to reset his password (and optionally to unlock his account). Unlock your account. Allows a user to unlock his account without resetting his password. Copyright Tools4ever 1998-2013 18
4.2. Enrollment If a user has chosen to enroll into SSRPM, he is first asked to logon: Copyright Tools4ever 1998-2013 19
If the user is already enrolled, he will be asked if he wants to re -enroll or to unenroll. Should the user choose the un-enroll option, a pop up dialog will be shown to ask the user to confirm. If the users confirms the user will be unenrolled from SSRPM and will return to the main window. If the users cancels the user will return to the re-enroll/un-enroll web page. If the user user is not enrolled this page will not be displayed and the user will be presen ted with the questions as shown below. Copyright Tools4ever 1998-2013 20
Once the user is logged on, he will be asked to answer the questions specified in the profile: Copyright Tools4ever 1998-2013 21
After answering the required question, the user can enroll by clicking the 'Enroll' button. If the enrollment succeeds, he will be presented with the following page: After the enrollment process, the user can reset his password or optionally unlock his account. 4.3. Reset Password If a user has chosen to reset his password, he is first asked to identify himself: Copyright Tools4ever 1998-2013 22
After the user has identified himself, he is asked to answer the question he answered during enrollment: Copyright Tools4ever 1998-2013 23
Copyright Tools4ever 1998-2013 24
After answering the questions the user can enter the new password: Copyright Tools4ever 1998-2013 25
After answering the required questions and entering a new password, the user can reset his password by clicking on the 'Reset Password' button. If the user successfully resets his password, he will be presented with the following page: Copyright Tools4ever 1998-2013 26
4.4. Unlock Account If a user has chosen to unlock his account, he is first asked to identify himself: Copyright Tools4ever 1998-2013 27
After the user has identified himself, he is asked to answer the question he answered during enrollment: Copyright Tools4ever 1998-2013 28
After answering the required questions the user can unlock his account by clicking on the 'Unlock Account' button. If the user successfully unlocks his account, he will be presented with the following page: 5. Frequently Asked Questions (FAQ) Can I change anything in the Web Interface? Yes, the web interface is fully customizable. It is even possible to write your own web interface. Please refer to the "COM Object Guide" for a complete list of features. Is the web interface secure? It depends on which type of connection you are using. If you are using a default http connection, the connection is not secure. However, the connection can be secured using SSL. Please refer to the 'Installing the Web Interface' chapter in this document for a detailed description how to configure SSL. Is the SSRPM COM Object secure? Yes. The SSRPM COM Object communicates with the SSRPM Service using an encrypted connection. I am trying to Enroll/Reset a password/unlock Account and am getting error... What is the problem? Please refer to the "Implementation Guide" for a list of commonly encountered errors. Copyright Tools4ever 1998-2013 29
6. Index C Config.asp 17 ConfigCaptha.asp 17 Configuration 8 Configuring IIS 6 2 Configuring SSL 12 Configuring the Web Interface 17 Configuring the Web Interface in a DMZ 14 E Enrollment 19 F Frequently Asked Questions (FAQ) 29 I IIS 6 14 IIS 7 5, 15 Installation 6 Installing the SSRPM COM Object 1 Installing the Web Interface 1, 2 Introduction 1 M Main Window 18 R Reset Password 22 T Troubleshooting 12, 17 U Unlock Account 27 W Web Interface Overview 17