



                        Citrix Winview
                        Application Note

                        Security Dynamics
                        Access Control Module (ACM)
                        Hardware Security Solution
                        ACM/1600, ACM/400, ACM/100

                        This application note is for
                        informational use only and Citrix
                        makes no representations or
                        warranties with respect to the
                        contents or use of this document or
                        of any of third-party products
                        discussed within.


(April 4, 1995)

Citrix Systems
210 University Drive
Suite 700
Coral Springs, FL 33071
Phone (305) 755-0559
FAX   (305) 341-6880


Overview:
---------


        This application note facilitates the configuration of the Security
Dynamics Access Control system with Citrix "WinView for Networks" Application
Server Software. 

        The Security Dynamics Access Control system is a hardware security 
device that protects computer resources from access by unathorized users.  The 
system comprises two major elements:

1. The Access Control Module (Hardware) ACM/1600-16 port, ACM/400-4 port or the
   ACM/100-1 port which is a highly secure communications controller that
   connects and disconnects the input/output lines to the protected host
   computer.

2. The SecurID card(s), credit card sized microprocessing unit(s) that calculate
   and display codes which change unpredictably at a specified interval,
   typically every 60 seconds.

Together the SecurID card and the ACM form a system that recognizes, prevents, 
and records all unauthorized attempts at entry to a WinView Application Server, 
while access for valid users remains quick and easy.

Disclaimer:
-----------

        The scenarios described in this document have been tested by Citrix
Systems.  Other variations to the scenarios described in this document may work,
however they have not specifically been tested by Citrix.  In order to recreate
the configurations, you should use the specified revision levels of all software
products described in this document and stay within the bounds of the features
and functions described in this document.

        Please note that this application note is a living document and will be
modified as new information and versions of the software described herein
become availiable.  Make sure you have the latest version of this document
before you begin.  The latest version is always available in the Citrix Forum
on Compuserve. 

        PLEASE FOLLOW THE SETUP INFORMATION INCLUDED IN THIS APPLICATION NOTE,
WHEN CONFIGURING THE WINVIEW APPLICATION SERVER WITH THE SECURITY DYNAMICS ACM
SYSTEM.


Requirements:
-------------

        1. Citrix WinView for Networks Version 2.21 or higher

        2. Security Dynamics Equipment

           A. One of the following ACM's
              1. ACM/1600 Hardware running software version 4.12A or later
              2. ACM/400  Hardware running software version 1.12A or later 
              3. ACM/100  Hardware running software version 1.12A or later

           B. Credit card sized microprocessing SecurID cards.
              NOTE: One of which must be an Administrator level card.

Setup:
------

   Install WinView as per the WinView Installation Manual.
   Connect terminals, and Remote PC's as per the WinView Administration
   manual, without the SecurID product, to assure working configurations.
   Note: For asynchronous connectivity, modems or direct connect, it is 
   recommended that the WinView Application Server be equipped with an
   intelligent multiport board such as a DigiBoard X/em series unit.

There are two connectivity scenarios described utilizing the SecurID equipment.

1. PC direct-connect to a WinView Application Server (No Modems).
2. PC connected to a WinView Application Server via Modems.

PC direct-connect to a WinView Application Server (No Modems)

1. Connect the ACM box between the MultiPort board and the direct connect PC.
   
   Use a modem cable between the PC and the DTE connector of the ACM.
   Use a null modem cable between the WinView Application Server Multiport 
   board and the DCE of the ACM, as per Security Dynamics ACM Instruction 
   Manual pages I-3,I-4, and I-5.

2. WinView Application Server settings:
   
   A. From the Workstation Configuration Menu configure a direct connect 
      terminal for the MultiPort Card subsystem (Ex. DigiBoard Term1).

      Note the following Workstation settings:
        1. Parity - (usually None)
        2. Baud Rate select one: 38.4k, 19.2k, 9600
        3. Stop Bits (usually 1)
        4. Data Bits (usually 8)
        5. Connection Type - Connect on DCD
        6. Flow Control - check only:
                a. RTS input handshaking
                b. DTR/DSR enable
                c. CTS output handshaking
                All other settings are DISABLED
        7. F4 to save terminal settings.

3. Remote Link (Citrix Client) Settings

   A. From the Remote Link main menu, select AppServer List and configure a 
      direct connect terminal with the following settings:

        1. Connection Type - ASYNC for a normal serial port, (16450 or 16550)
                             or if you are using the Hayes ESP Accelrator 
                             Serial port card.
                             
                             INT14 if using an INT14 driver on the client side 
                             such as a DigiBoard 2-port intelligent serial card.

        2.  Emulation Mode - TTY
        3.  Modem Type - Direct Connect
        4.  Device Name: - COM1-4 depending the port you are using
        5.  Baud Rate - Match the Baud Rate that you selected in step 2A2.
        6.  Device Paramters - usually NONE,8,1 - match as per steps 2A1,2A3,2A4
        7.  Flow Control - RTS/CTS
        8.  XON Character - 101
        9.  XOFF Charcter - 103
        10. Press F4 to save the configuration and exit.

4. From the Remote Link Main Menu select "Dial/Connect to server", and select
   the configuration you just created. You should receive a "Connecting"
   at the top left of the screen.  Press return and you should receive a
   "Enter PASSCODE:" at the bottom left of the screen. If you are logging in
   for the first time, please follow the instructions in the ACM Instruction 
   Manual for obtaining a pin and logging in starting at page user-5.
   
   NOTE: Use an "Administrator" level SecurID card so you will have the proper 
         authorization to configure the ACM.

5. After you have obtained a pin and logged in to the ACM with administrator 
   privileges the ACM Main ADMINISTRATION Menu should be displayed on your 
   screen. 
   
   A. Select 12, Channel Status and configure your channel as follows:

        1. Baud Rate - Match as per selections in steps 2 and 3.
           Note: Auto can be used for 19.2k or 9600. For 38.4k needs to be
           explicitely stated.
        2. Data and parity bits match as per selections in steps above.
        3. Protocol -(d-d) DCD at modem and DCD at Host
        4. Host Command Mode - N
        5. Dialout - N
        6. Select option 1 to return to the Main Administration Menu

   B. Select option 2, "Proceed to Host" - at this time you should see the
      WinView Application Server "YOUR_HOSTNAME!Login" in the top left of the
      screen.  If you have configured a username on the WinView Application
      Server you should be able to login and access the WinView Application
      Server at this time.

   C. If this has worked, you can go back and configure other ports for your
      users as required.
   


Connect a PC to a WinView Application Server (Modems)

1. Connect the ACM box between the MultiPort board and the Host modem of the
   WinView Application Server.

   Use a modem cable between the Host modem and the DTE of the ACM.
   Use a modem cable between the WinView Application Server Multiport 
   board and the DCE of the ACM as per the Security Dynamics ACM Instruction
   manual pages I-3, I-4, and I-5.

2. WinView Application Server settings:
   
   A. From the Workstation Configuration Menu configure a direct connect 
      terminal for the MultiPort Card subsystem (Ex. DigiBoard Term1).

      Note the following Workstation settings:
        1. Parity - (usually None)
        2. Baud Rate select one: 38.4k, 19.2k, 9600
        3. Stop Bits (usually 1)
        4. Data Bits (usually 8)
        5. Connection Type - Connect on DCD
        6. Flow Control - check only:
                a. RTS input handshaking
                b. DTR/DSR enable
                c. CTS output handshaking
                All other settings are DISABLED
        7. F4 to save terminal settings.

3. Remote Link (Citrix Client) Settings

   A. From the Remote Link main menu, select AppServer List and configure a 
      client modem connection with the following settings:

        1. Connection Type - ASYNC for a normal serial port, (16450 or 16550)
                             or if you are using the Hayes ESP Accelrator 
                             Serial port card.
                             
                             INT14 if using an INT14 driver on the client side 
                             such as a DigiBoard 2-port intelligent serial card.

        2.  Emulation Mode - TTY
        3.  Modem Type - Choose from the menu
        4.  Device Name: - COM1-4 depending the port you are using
        5.  Baud Rate - Match the Baud Rate that you selected in step 2A2.
        6.  Device Paramters - usually NONE,8,1 - match as per steps 2A1,2A3,2A4
        7.  Flow Control - RTS/CTS
        8.  XON Character - 101
        9.  XOFF Charcter - 103
        10. Press F4 to save the configuration.

4. From the Remote Link Main Menu select "Dial/Connect to server", and select
   the configuration you just created. The client modem should dial, negotiate
   with the host modem and display a "Connecting" at the top left of the screen.  
   Press return and you should receive a "Enter PASSCODE:" at the bottom left 
   of the screen. If you are logging in for the first time, please follow the 
   instructions in the ACM instruction Manual for obtaining a pin and logging in 
   starting at page user-5.

   NOTE: Use an "Administrator" level SecurID card so you will have the proper 
         authorization to configure the ACM.

5. After you have obtained a pin and logged in to the ACM with administrator 
   privileges the ACM Main ADMINISTRATION Menu should be displayed on your 
   screen. 
   
   A. Select 12, Channel Status and configure your channel as follows:

        1. Baud Rate - Match as per selections in steps 2 and 3.
           Note: Auto can be used for 19.2k or 9600. 38.4k needs to be
           explicitely stated.
        2. Data and parity bits match as per selections in steps 2 and 3.
        3. Protocol -(d-d) DCD at modem and DCD at Host
        4. Host Command Mode - N
        5. Dialout - N
        6. Select option 1 to return to the Main Administration Menu

   B. Select option 2, Proceed to Host - at this time you should see the
      WinView Application Server "YOUR_HOSTNAME!Login" in the top left of the
      screen.  If you have configured a username on the WinView Application
      Server you should be able to login and access the WinView Application
      Server.

   C. If this has worked, you can go back and configure other ports for your
      users as required.


Operation:
----------

    1. When a connection has been made whether direct connect or modems (modems
       have dialed and established a connection), the user will press return 
       and be prompted for a "PASSCODE".  After the correct pin and securid card 
       number have been presented, SecurID will authenticate the user. If this 
       is successful the user will be allowed to "Proceed to Host" and login to
       the WinView Application Server. At this point, the SecurID equipment acts 
       as a passthrough and WinView functions normally.
       
Notes:
------

        1. Autologin features of WinView can be used if necessary, however
           some Administrators may consider this to "weaken" security measures.
           
        2. If possible, a port should be reserved and configured for only an 
           administrator to use.  This will help facilitate ACM configuration
           changes for users.

        3. At this time,the Security Dynamics ACM Hardware products support
           baud rates up to only 38,400, While todays modems in conjunction 
           with WinView compression, and the proper hardware on both the 
           Host and the client can be configured for baud rates up to 115,200.
           
           NOTE: Although 38,400 baud is available,the ACM will only autobaud 
           (automatically detect connection baud rate) from 300 to 19,200 Baud. 
           If using 38,400 baud, care must be taken to configure all connections 
           at 38,400 baud.

           For example, without Security Dynamics, the Host,(WinView Application 
           Server) would be equipped with an intelligent multiport card such as 
           a DigiBoard X/em series board which supports baud rates up to 
           115,200. The client PC's equipped with the proper serial port card, 
           such as an intelligent serial card, a Digiboard 2 port or a large 
           buffer board like the Hayes ESP Accelerator card, can be configured 
           to support baud rates as high as 115,200. Due to Modem hardware 
           compression and WinView's software compression, modems are configured 
           at roughly four times their stated baud rate, for example 14,400 
           modems are configured at 57,600 and 28,800 modems are configured at 
           115,200. 
           
           Note: If using modems your telephone lines may not be able to 
           support the higher speeds.  If you experience random disconnections
           at the higher speeds, please refer to the Readme in your Remote Link
           directory or the System readme on the host entitled "Configuring 
           Modems with the Application Server".

        4. Make note of the proper cable(s) that must be used in host-to-ACM,
           and ACM-to-workstation/ACM-to-modem. The proper cable must be used
           for the configurations to function correctly.


Troubleshooting Tips
--------------------

        1. Verify that the proper cable(s) are being used in host-to-ACM
           (Modem cable), ACM-to-workstation Direct Connect(Null Modem cable),
           and ACM-to-modem (Modem cable). The proper cable must be used
           for the configurations to function correctly. Also be aware that
           certain ACM's (Call Security Dynamics technical support) require
           adapters to be used on the ACM for Host and Modem connections.

        2. When creating Workstation Terminal Devices on the Application Server,
           verify that they were created as 'Direct Connect' devices, and not 
           modem devices. If the device shows a modem name, then it it not a 
           direct connect.

        
