



			Citrix WinView
			Application Note

			Communication Devices Inc. (CDI)
			SafeGuard Security Solution (UniGuard, 
			QuadGuard, MultiGuard and MegaGuard)

			

			This application note is for
			informational use only and Citrix
			makes no representations or
			warranties with respect to the
			contents or use of this document or
			of any of third-party products
			discussed within.


(December 5, 1994)

Citrix Systems
210 University Drive
Suite 700
Coral Springs, FL 33071
Phone (305) 755-0559
FAX   (305) 341-6880


Overview:
---------


	This application note facilitates the configuration of the CDI SafeGuard
Security solution with Citrix "WinView for Networks" Application Server 
Software.

	The CDI SafeGuard Security product line is a hardware/software security device 
that protects computer resources from access by unauthorized users by using the DES (Data Encryption Standard) to encrypt user passwords uniquely for each session.  The CDI SafeGuard product line provides Caller Authentication Access Control and 
Modem Management for dial access systems.  The system is comprised of several 
components:

1. CDI SafeGuard hardware module UniGuard, QuadGuard, MultiGuard or MegaGuard
 which is a highly secure communications controller connects between the  "WinView for                  Networks" and the modem bank. This hardware provides a "Firewall" of protection.

2. WinGuard - is a windows based software utility used by a remote caller. The software operates in conjunction with CDI's Tokens to communicate with a  CDI SafeGuard family product. 

3. DosGuard - is a DOS based software utility used by a remote caller. The software is RLINK compatible and operates in conjunction with CDI's Tokens to communicate with a  CDI SafeGuard family product. 

4. TokenMaster - is a software utility which will program the DES Tokens,
   SofTokens and load user information along with the encryption keys into the
   data base of the SafeGuard device.

Together the CDI SafeGuard product line and programmable hardware and software 
tokens form a system that recognizes, encrypts, prevents, and records all unauthorized 
attempts at entry to a WinView Application Server, while access for valid users 
remains quick and easy. The system is easy to install, upgrade and network to multiple locations.

Disclaimer:
-----------

	The scenarios described in this document have been tested by Citrix
Systems.  Other variations to the scenarios described in this document may work,
however they have not specifically been tested by Citrix.  In order to recreate
the configurations, you should use the specified revision levels of all software
products described in this document and stay within the bounds of the features
and functions described in this document.

	Please note that this application note is a living document and will be
modified as new information and versions of the software described herein
become available.  Make sure you have the latest version of this document
before you begin.  The latest version is always available in the Citrix Forum
on Compuserve.


Requirements:
-------------

	1. Citrix WinView for Networks Version 2.21 or higher

	2. CDI SafeGuard Product family

	   A. One or more of the following SafeGuard family products
	      1. UniGuard   - 1 pair of ports
	      2. QuadGuard - 4 pairs of ports
	      3. MultiGuard - 1 to 16 pairs of ports per rack
	      4. MegaGuard - 1 to 48 pairs of ports per rack


	   B. WinGuard, DosGuard, hardware tokens, software tokens are optional as per
	      your business requirements.
	       
	   C. TokenMaster software utility which will program the DES Tokens,
	      SofTokens and load user information along with the encryption keys 
	      into the data base of the SafeGuard device.

Setup:
------

   Install WinView as per the WinView Installation Manual.
   Connect terminals, and Remote PC's as per the WinView Administration
   manual, without the CDI product, to assure working configurations.
   Note: For asynchronous connectivity, modems or direct connect, it is 
   recommended that the WinView Application Server be equipped with an
   intelligent multiport board such as a DigiBoard X/em series unit.

There are 5 connectivity scenarios described utilizing the CDI SafeGuard
product line and tokens.

1. PC connected to a WinView Application Server via Modems. (Secure call thru)
2. PC connected to a WinView Application Server via Modems. (Pager Token)
3. PC connected to a WinView Application Server via Modems. 
   (SofToken - DosGuard/WinGuard)
4. PC connected to a WinView Application Server via Modems. 
   (HardToken - DosGuard/WinGuard)
 5. PC connected to a WinView Applications server


Connect a PC a WinView Application Server (No Modems)

1. Connect the CDI SafeGuard box between the MultiPort board and the direct 
   connect PC.
   
   Use a null modem cable between the PC and the Modem connector of the CDI box.
   Use a straight cable between the WinView Application Server Multiport 
   board and the Host connector of the CDI Secure Access Rack User Manual 
   section 2A.


The SafeGuard passes RTS, CTS, and DSR straight through the unit with no manipulation.

LED's on the front panel of each card indicate DTR, DCD, TX, and RX from the host and modem ports.


2. WinView Application Server settings:
   
   A. From the Workstation Configuration Menu configure the connection for terminal or modem type depending on your scenario for the MultiPort Card subsystem (Ex. DigiBoard Term1).

      Note the following Workstation settings:
	1. Parity - (usually None)
	2. Baud Rate select one: 9600 - 115.2k
	3. Stop Bits (usually 1)
	4. Data Bits (usually 8)
	5. Connection Type - Connect on DCD
	6. Flow Control - check only:
		a. RTS input handshaking
		b. DTR/DSR enable
		c. CTS output handshaking
		All other settings are DISABLED
	7. F4 to save terminal settings.

3. Remote Link (Citrix Client) Settings

   A. From the Remote Link main menu, select AppServer List and configure a 
      direct connect terminal with the following settings:

	1. Connection Type - ASYNC for a normal serial port, (16450 or 16550)
			     or if you are using the Hayes ESP Accelerator 
			     Serial port card.
			     
			     INT14 if using an INT14 driver on the client side 
			     such as a DigiBoard 2-port intelligent serial card.

	2.  Emulation Mode -  ICA if using DES Token , TTY for all other.
	3.  Modem Type - Direct Connect
	4.  Device Name: - COM1-4 depending the port you are using
	5.  Baud Rate - Match the Baud Rate that you selected in step 1A2.
	6.  Device Parameters - usually NONE,8,1 - match as per steps 1A1,1A3,1A4
	7.  Flow Control - NONE
	8.  XON Character - 101
	9.  XOFF Character - 103
	10. Press F4 to save the configuration and exit.

4. Setup the SafeGuard unit as per the manual by connecting a terminal or PC to the PC port of the unit. This would include:

	A) Set the current Date and Time for accuracy in the audit trail information.

	B) Set the port up with the same baud rates as the WinView Application Server . A mismatched  baud rate will cause unsuccessful logons to the SafeGuard unit and/or the WinView Application Server. DO NOT use the autobaud setting on the CDI box if you are using Tokens. It also not recommended to use autobaud  with the WinView Application Server in the Secure Call Thru mode. Make sure security is enabled for each port in this menu.

	C. Load the database with all the user's attributes through the User menu.

Connect a PC a WinView Application Server (Modems)

1. Connect the CDI SafeGuard box between the MultiPort board and the modem.
   
   Use a straight cable between the modem and the Modem connector of the CDI box.
   Use a straight cable between the WinView Application Server Multiport 
   board and the Host connector of the CDI Secure Access Rack User Manual 
   section 2A.


The SafeGuard passes RTS, CTS, and DSR straight through the unit with no manipulation.

LED's on the front panel of each card indicate DTR, DCD, TX, and RX from the host and modem ports.


2. WinView Application Server settings:
   
   A. From the Workstation Configuration Menu configure the connection for terminal or modem type depending on your scenario for the MultiPort Card subsystem (Ex. DigiBoard Term1).

      Note the following Workstation settings:
	1. Parity - (usually None)
	2. Baud Rate select one: 9600 - 115.2k
	3. Stop Bits (usually 1)
	4. Data Bits (usually 8)
	5. Connection Type - Connect on DCD
	6. Flow Control - check only:
		a. RTS input handshaking
		b. DTR/DSR enable
		c. CTS output handshaking
		All other settings are DISABLED
	7. F4 to save terminal settings.

3. Remote Link (Citrix Client) Settings

   A. From the Remote Link main menu, select AppServer List and configure a 
      direct connect terminal with the following settings:

	1. Connection Type - ASYNC for a normal serial port, (16450 or 16550)
			     or if you are using the Hayes ESP Accelerator 
			     Serial port card.
			     
			     INT14 if using an INT14 driver on the client side 
			     such as a DigiBoard 2-port intelligent serial card.

	2.  Emulation Mode -  ICA if using DES Token , TTY for all other.
	3.  Modem Type - select type of modem being used
	4.  Device Name: - COM1-4 depending the port you are using

5.  Baud Rate - Match the Baud Rate that you selected in step 1A2.
	6.  Device Parameters - usually NONE,8,1 - match as per steps 1A1,1A3,1A4
	7.  Flow Control - NONE
	8.  XON Character - 101
	9.  XOFF Character - 103
	10. Press F4 to save the configuration and exit.

4. Setup the SafeGuard unit as per the manual by connecting a terminal or PC to the PC port of the unit. This would include:

	A) Set the current Date and Time for accuracy in the audit trail information.

	B) Set the port up with the same baud rates as the WinView Application Server . A mismatched  baud rate will cause unsuccessful logons to the SafeGuard unit and/or the WinView Application Server. DO NOT use the autobaud setting on the CDI box if you are using Tokens. It also not recommended to use autobaud  with the WinView Application Server in the Secure Call Thru mode. Make sure security is enabled for each port in this menu.

	C. Load the database with all the user's attributes through the User menu.


Operation: ( using DES Token)
----------
1. Invoke the DosGuard software. Enter your ID and Password that has previously been loaded into the SafeGuard unit. Enter the PIN number that has been assigned to your token. Select the proper COM port and INT14 if applicable. Now your authentication criteria will be in a TSR until you uninstall the TSR or  disrupt DOS.

2. Place the SofToken diskette in one of the drives or the HardToken connector on one of the parallel ports of the PC.

3. From the Remote Link Main Menu select "Dial/Connect to server", and select
   the configuration you just created. Once a connection has been established DosGuard will automatically log you onto the SafeGuard Unit transparently. This will be done using DES encryption along with a unique session key. DosGuard will display ACCESS GRANTED for a successful attempt. If you receive ACCESS DENIED check your ID and PASSWORD for proper "case" ( upper lower) and their content. If you receive ACCESS DENIED immediately upon connection you have typed the wrong PIN number into DosGuard. Unload DosGuard by typing DOSGUARD /U at the DOS prompt and reinvoke DosGuard with the correct parameters.


    1. After connection has been established, SafeGuard has authenticated the 
       user between the WinView Application Server and the Client, the 
       SafeGuard equipment acts as a passthrough and WinView functions normally.

Operation: ( using Pager as a Token)
----------
1. RLINK must be in the TTY mode and you should have your pager handy..

2. From the Remote Link Main Menu select "Dial/Connect to server", and select
   the configuration you just created. Once a connection has been established you will be prompted to enter you ID. Enter your ID followed by a carrige return. The system will respond with "Sending challenge to pager". In about 40 seconds your pager should indicate that it has recieved a page. This page will be an 8 digit number. Enter that number. The system should resond with "HOST CONNECTED" and RLINK should detect ICA and automatically convert to ICA.


	3. After connection has been established, SafeGuard has authenticated the 
	   user between the WinView Application Server and the Client, the 
	   SafeGuard equipment acts as a passthrough and WinView functions normally.
       

Operation: ( using  Secure Call Thru)
----------
1. RLINK must be in the TTY..

2. From the Remote Link Main Menu select "Dial/Connect to server", and select
   the configuration you just created. Once a connection has been established you will be prompted to enter your ID. Enter your ID followed by a carrige return. The system will respond with Enter Your Password>. Enter your password followed by a carrige return.. The system should resond with "HOST CONNECTED" and RLINK should detect ICA and automatically convert to ICA.


    3. After connection has been established, SafeGuard has authenticated the 
       user between the WinView Application Server and the Client, the 
       SafeGuard equipment acts as a passthrough and WinView functions normally.
       
     
       
Notes:
------
       1. DosGuard is the ONLY secure access software to allow the user to authenticate in   native ICA mode transparently. This is very usefully for quicker logons along with  no dropped logons due to failure to detect ICA from TTY.

	2. Autologin features of WinView can be used if necessary, however
	   some Administrators may consider this to "weaken" security measures.
	   
	3. The CDI SafeGuard will support the V.34 standard for 115.2K baud.  

	   Note: If using modems your telephone lines may not be able to 
	   support the higher speeds.  If you experience random disconnection's
	   at the higher speeds, please refer to the Readme in your Remote Link
	   directory or the System reassume on the host entitled "Configuring 
	   Modems with the Application Server".

Problems:
---------
	  There are no known problems at this time.

Vendor support:
-------------------

CDI provides a technical support hotline from  8:00 AM til 5:00 PM EST Monday through Friday at 800-359-8561.
