



                        Citrix Winview
                        Application Note

                        Digital Pathways, Inc.
                        Defender Series
                        Hardware Security Solution
                        Defender 5000

                        This application note is for
                        informational use only and Citrix
                        makes no representations or
                        warranties with respect to the
                        contents or use of this document or
                        of any of third-party products
                        discussed within.


(November 16, 1994)

Citrix Systems
210 University Drive
Suite 700
Coral Springs, FL 33071
Phone (305) 755-0559
FAX   (305) 341-6880


Overview:
---------


        This application note facilitates the configuration of the Digital 
Pathways Defender 5000 system with Citrix "WinView for Networks" Application
Server Software.

        The Digital Pathways Defender 5000 system is a hardware security 
device that protects computer resources from access by unathorized users.  The 
system comprises:

1. A Digital Pathways Defender 5000 Chassis with the following options:
   
   A. An FPU (Flexible Processing Unit) which contains communication ports for 
      supervisory use, and controls the Defender 5000 Chassis.
   
   B. One or more FSB/HSB (Flexible Serial Board/High speed Serial Board) cards,
      which contain the communication ports. These communication ports will
      have modems attached, or be directly connected to the clients, through 
      which Defender 5000 will intercept incoming calls and execute the 
      programmed security measures.

2. Optional Software/Hardware DES (Data Encryption Standard) Token Encryption.
   
   A. WinSNK/DOSSNK - software based SecureNet Key.
   
   B. Hardware SNK - Handheld Calculator Size Hardware SecureNet Key.

The Defender 5000 is a unique system that recognizes, prevents, and records 
all unauthorized attempts at entry to a WinView Application Server, while 
access for valid users remains quick and easy. It is easily upgradable, totally 
configurable, and has a built-in scipting language, Lingo, which allows further
customizations, such as user menus for host access. Modems can be assigned
different functions, such as callback request, callback, dial-in, and dialout.


Disclaimer:
-----------

        The scenarios described in this document have been tested by Citrix
Systems.  Other variations to the scenarios described in this document may work,
however they have not specifically been tested by Citrix.  In order to recreate
the configurations, you should use the specified revision levels of all software
products described in this document and stay within the bounds of the features
and functions described in this document.

        Please note that this application note is a living document and will be
modified as new information and versions of the software described herein
become availiable.  Make sure you have the latest version of this document
before you begin.  The latest version is always available in the Citrix Forum
on Compuserve.


Requirements:
-------------

        1. Citrix WinView for Networks Version 2.21 or higher

        2. Digital Pathways Equipment

           A. Defender 5000 Chassis
           
           B. FPU (Flexible Processing Unit) Defender Chassis CPU
           
           C. One or more of the following serial cards:
              1. FSB (Flexible Serial Board) for speeds up to 19,200bps
              2. HSB (Hish-speed Serial Board) for speeds up to 230,400bps

              
              
Setup:
------

   Install WinView as per the WinView Installation Manual.
   Connect terminals, and Remote PC's as per the WinView Administration
   manual, without the Defender product, to assure working configurations.
   Note: For asynchronous connectivity, modems or direct connect, it is 
   recommended that the WinView Application Server be equipped with an
   intelligent multiport board such as a DigiBoard X/em series unit.


There are two connectivity scenarios described utilizing the Defender equipment.

For either scenario, install and configure the Defender 5000 as per the 
instruction manual. Section 4 covers hardware/software installation. After
configuring the Defender, read section 3 of the manual, which explains all 
security modes available.

1. PC direct-connect to a WinView Application Server through Defender 
   (No Modems).
2. PC connected to a WinView Application Server through Defender via Modems.

PC direct-connect to a WinView Application Server (No Modems)

1. Connect the Defender between the MultiPort board and the direct connect PC.
   
   A. Connect a terminal or PC to a console port on the FPU as per Digital
      Pathways Operations Manual page 4-4.
   B. Initialize FPU memory (full reset) as per Digital Pathways Operations 
      Manual page 4-4.
   C. Select a host-modem port on a Defender FSB/HSB board.
   D. Use a null modem cable between the PC and the modem connector of the
      selected host-modem port.
   E. Use a modem cable between the WinView Application Server Multiport board 
      and the host connector of the selected host-modem port, as per Digital 
      Pathways Operations Manual section 11.
   F. Login as a supervisor on the console, and configure Defender modems,hosts,
      and users, and security as per section 4 of the Operations Manual.

2. WinView Application Server settings:
   
   A. From the Workstation Configuration Menu configure a direct connect 
   terminal for the MultiPort Card subsystem (Ex. DigiBoard Term1).

      Note the following Workstation settings:
        1. Parity - (usually None)
        2. Baud Rate : 9600 - 19,200bps for FSB, 9600 - 115,200bps for HSB
        3. Stop Bits (usually 1)
        4. Data Bits (usually 8)
        5. Connection Type - Connect on DCD
        6. Flow Control - check only:
                a. RTS input handshaking
                b. DTR/DSR enable
                c. CTS output handshaking
                All other settings are DISABLED
        7. F4 to save terminal settings.

3. Remote Link (Citrix Client) Settings

   A. From the Remote Link main menu, select AppServer List and configure a 
      direct connect terminal with the following settings:

        1. Connection Type - ASYNC for a normal serial port, (16450 or 16550)
                             or if you are using the Hayes ESP Accelrator 
                             Serial port card.
                             
                             INT14 if using an INT14 driver on the client side 
                             such as a DigiBoard 2-port intelligent serial card.

        2.  Emulation Mode - TTY
        3.  Modem Type - Direct Connect
        4.  Device Name: - COM1-4 depending the port you are using
        5.  Baud Rate - Match the Baud Rate that you selected in step 2A2.
        6.  Device Paramters - usually NONE,8,1 - match as per steps 2A1,2A3,2A4
        7.  Flow Control - RTS/CTS
        8.  XON Character - 101
        9.  XOFF Charcter - 103
        10. Press F4 to save the configuration and exit.

4. A. From the Remote Link Main Menu select "Dial/Connect to server", and 
      select the configuration you just created. You should receive a 
      "Connecting" at the top left of the screen.  Press return and you should 
      receive a a message from Defender, and a request for ID. Use an 
      ID/Password combination that you created in step 1F. After a short delay, 
      and Rlink/WinView ICA negotiation, WinView login should commence.
   
   B. If this has worked, you can go back and configure other ports for your
      users as required.
   
Connect a PC to a WinView Application Server (Modems)

1. Connect the Defender between the MultiPort board and the direct connect PC.
   
   A. Connect a terminal or PC to a console port on the FPU as per Digital
      Pathways Operations Manual page 4-4.
   B. Initialize FPU memory (full reset) as per Digital Pathways Operations 
      Manual page 4-4.
   C. Select a host-modem port on a Defender FSB/HSB board.
   D. Use a modem cable between the modem and the modem connector of the
      selected host-modem port.
   E. Login as a supervisor on the console, and configure Defender modems, 
      hosts, users, and security as per section 4 of the Operations Manual.
   F. Use a modem cable between the WinView Application Server Multiport board 
      and the host connector of the selected host-modem port, as per Digital 
      Pathways Operations Manual section 11.


2. WinView Application Server settings:
   
   A. From the Workstation Configuration Menu configure a direct connect 
   terminal for the MultiPort Card subsystem (Ex. DigiBoard Term1).

      Note the following Workstation settings:
        1. Parity - (usually None)
        2. Baud Rate : 9600 - 19,200bps for FSB, 9600 - 115,200bps for HSB
        3. Stop Bits (usually 1)
        4. Data Bits (usually 8)
        5. Connection Type - Connect on DCD
        6. Flow Control - check only:
                a. RTS input handshaking
                b. DTR/DSR enable
                c. CTS output handshaking
                All other settings are DISABLED
        7. F4 to save terminal settings.





3. Remote Link (Citrix Client) Settings

   A. From the Remote Link main menu, select AppServer List and configure a 
      client modem connection with the following settings:

        1. Connection Type - ASYNC for a normal serial port, (16450 or 16550)
                             or if you are using the Hayes ESP Accelrator 
                             Serial port card.
                             
                             INT14 if using an INT14 driver on the client side 
                             such as a DigiBoard 2-port intelligent serial card.

        2.  Emulation Mode - TTY
        3.  Modem Type - Choose from the menu
        4.  Device Name: - COM1-4 depending the port you are using
        5.  Baud Rate - Match the Baud Rate that you selected in step 1A2.
        6.  Device Paramters - usually NONE,8,1 - match as per steps 1A1,1A3,1A4
        7.  Flow Control - RTS/CTS
        8.  XON Character - 101
        9.  XOFF Charcter - 103
        10. Press F4 to save the configuration.

4. A. From the Remote Link Main Menu select "Dial/Connect to server", and select
      the configuration you just created. The client modem should dial, 
      negotiate with the host modem and display a "Connecting" at the top left 
      of the screen. Press return, and you should receive a message from 
      defender, and a request for ID. Use an ID/Password combination created in 
      step 1E. After a short delay, and Rlink/WinView ICA negotiation, WinView 
      login will begin.

   B. If this has worked, you can go back and configure other ports for your
      users as required.


Operation:
----------

    1. When a connection has been made, whether direct-connect or modems 
       have dialed and established a connection, the user will press return 
       and be prompted for an ID.  After the correct ID/Password combination
       has been presented, Defender will authenticate the user. If this 
       is successful the user will be "Kicked" to the Host and login to
       the WinView Application Server. At this point, the Defender equipment 
       acts as a passthrough and WinView functions normally.
       

Optional Security Enhancements
------------------------------


        This section will cover the usage of the optional WinSNK/DOSSNK
encrypted token software from Digital Pathways, Inc., and usage of the callback
feature of the Defender 5000. 

1. Soft Tokens 

        Soft tokens are alphanumeric sequences that are created by scrambling 
        a number or word using a predefined encryption key. In the Defender 5000
        system, the encryption key is entered within each user record, and also
        when the WinSNK/DOSSNK diskettes are prepared. Soft tokens are a 
        security enhancement, and thus provide a greater method of protection, 
        other than ID/Password combinations. This section will cover the setup 
        and usage of soft tokens, Defender 5000, and the WinView Application 
        Server. Usage of Digital Pathways, Inc's SNK programs are supported only 
        with Rlink (modem dial-in). Direct connect is NOT supported, because the 
        SNK hot-key program monitors the COM port, and will only function when 
        it senses a connection.

  A. Connect a PC to a WinView Application Server ( Modems) 
     
   1. Setup  
     A. Setup the Defender 5000 and WinView Application server as per the
        instructions above for Modems. No special changes are needed, or
        required. 
     B. Setup the WinSNK diskettes as per the SNK manual for all users who will 
        use SNK. Note the PIN, User ID, Password, and encryption key, as they 
        will be needed in the next step.
     C. Setup the User ID's for which the SNK diskettes were created in step B.
     D. Setup additional Defender 5000 information as per the Digital Pathways
        Operations Manual. The sections that must be changed are security 
        classes, and user records.
     E. Setup the WinSNK software on the client PC's.

   2. Usage
     A. Usage of Rlink with SNK's is almost exactly as it would be without it, 
        except that when a connection is made, the 'hot-key' is pressed, and the 
        SNK program takes over and automates the login to the Defender 5000.

2. Callback system
        
        The Defender 5000's callback system is a second option for enhancing
        the security of dial-in system. It allows the configuration of a modem
        for receiving callback requests, and another modem for the actual 
        callback. The number that the user is called back at is preset into 
        their UserID record file for that user. Callback is supported only under 
        Rlink (modems).

   1. Setup
     A. Setup Defender 5000 and the WinView Application Server as per the 
        instructions above for Modem usage.
     B. Configure security classes and user ID's to allow callback as per the
        Digital Pathways Operations Manual section 3. Make sure the User ID has
        access to the host that the CB program will run on, and that the phone
        number the user is to be called back at is entered. 
     C. Configure a modem port to run the RQ (Callback Request) program. This
        is done under [S]tatus, [B]ox, [P]rogram. This is covered in section 3
        of the Operations Manual.
     D. Configure a modem port to run the CB (Callback) program. This is also
        covered in section 3 of the Operations Manual. When selecting [M]odem
        type, edit the record for the modem you chose/created, and blank out the 
        option for [C]onnected, so that the Defender 5000 detects carrier from
        signal lines, and not the modem results. Enable autobaud by changing 
        option [9] Read Baud From Connect: to 'OFF' .
     E. Callback SNK can be enabled under the security class assigned for the
        callback users you wish to have SNK's. This is entered under [C]lass,
        [S]ecurity. This will tell Defender 5000 to give a 4-digit token to
        the user when it has approved Callback,, and request the same number 
        upon successful modem connection on callback.
     F. Within Rlink, after you have selected the correct modem, modify the
        initialization string to include 'S0=1' (without the quotes) to tell
        the modem to answer on the first ring.

   2. Usage
     A. Create an entry for the Callback Request port modem, and dial it.
     B. After connection, and entering UserID/Password combination, the
        Defender 5000 will give the token if enabled. Otherwise, it will hang up
        and call back through one of the Callback ports.
     C. When the Defender 5000 calls back, the modem should answer automatically
        If tokens are not used, pressing <ENTER> once or twice will connect the
        user to the WinView Application Server. If tokens are enabled, press 
        <ENTER> once or twice, and Defender 5000 will request the token, and if 
        correct, the user will be passed on to the WinView Application Server.
        
Notes:
------

        1. Callback and Soft Tokens are not supported with Direct-Connect system
        
        2. Autologin features of WinView can be used if necessary, however,
           some Administrators may consider this to "weaken" security measures.
           
        3. At this time the Defender 5000 Hardware products support baud rates 
           up to 19,200bps with the FSB, and 230,400bps with the HSB, while 
           todays modems in conjunction with WinView compression, and the proper 
           hardware on both the Host and the client can be configured for baud 
           rates up to 115,200. For use with WinView Application Servers,
           115,200 is the maximum supported speed.

           For example, without Defender 5000, the Host,(WinView Application 
           Server) would be equipped with an intelligent multiport card such as 
           a DigiBoard X/em series board which supports baud rates up to 
           115,200. The client PC's equipped with the proper serial port card, 
           such as an intelligent serial card, a Digiboard 2 port or a large 
           buffer board like the Hayes ESP Accelerator card, can be configured 
           to support baud rates as high as 115,200. Due to Modem hardware 
           compression and WinView's software compression, modems are configured 
           at roughly four times their stated baud rate, for example 14,400 
           modems are configured at 57,600 and 28,800 modems are configured at 
           115,200. 
           
           Note: If using modems, your telephone lines may not be able to 
           support the higher speeds.  If you experience random disconnections
           at the higher speeds, please refer to the Readme in your Remote Link
           directory or the System readme on the host entitled "Configuring 
           Modems with the Application Server".

Problems:
---------
        There are no known problems at this time.          

