POC GUIDE - V6-v10 PDF

Training Guide for WALLIX
Certified Professional
(WCP)
Duration: 2 Days
Audience: Customers & Resellers
Role: Engineers / Technical Specialists
Goal: Mastery of the solution in terms of deployment, administration and usage within a
standard environment.
Author: Walter Karl
Email: wkarl@wallix.com
Training Guide for WALLIX Certified Professional (WCP)
1
CONTENTS
1 Installation And Initial Configuration .............................................................................................. 4
1.1 Installation of the WAB Image................................................................................................. 4
1.2 Initial Configuration ................................................................................................................. 7
2 First Login ...................................................................................................................................... 14
3 Use Cases ....................................................................................................................................... 19
3.1 Use Case #1 : First Authorization for Windows ..................................................................... 19
3.1.1 Define Users Objects ..................................................................................................... 19
3.1.2 Define Resources Objects .............................................................................................. 21
3.2 Use Case #2: ADS/LDAP Integration ...................................................................................... 30
3.2.1 External Authentication................................................................................................. 30
3.2.2 LDAP/AD Domains ......................................................................................................... 31
3.3 Use Case #3: Map AD-Groups to WALLIX Session Manager Groups ..................................... 32
3.4 Use Case #4: Different Account Types for Session Manager ................................................ 34
3.5 Use Case #5: Authorization with Linux .................................................................................. 36
3.5.1 UID/PWD based Login ................................................................................................... 36
3.5.2 SSH Key based Login ...................................................................................................... 37
3.5.3 Direct Logon to Linux Targets ........................................................................................ 39
3.6 Use Case #6: Time Frame ...................................................................................................... 40
3.7 Use Case #7: Approval Workflow .......................................................................................... 43
3.7.1 Definition of an Approval Workflow ............................................................................. 43
3.7.2 Different Variants of using ‘Quorum’ ............................................................................ 47
3.8 Use Case #8: Application Integration .................................................................................... 47
3.8.1 Integration of a simple application ............................................................................... 48
3.8.2 Integration with credentials using virtual channel ........................................................ 50
3.9 Use Case #9 Password Manager............................................................................................ 53
3.9.1 Periodical Change of Passwords and SSH Keys ............................................................. 53
3.9.2 ‘Check out/Check in’ of Passwords ............................................................................... 61
3.9.3 Email account where changed passwords are sent to .................................................. 64
3.10 Use Case #10: Session & Password Manager ........................................................................ 68
4 Appendix........................................................................................................................................ 71
4.1 Using Rest API (curl) .............................................................................................................. 71
4.1.1 Create API Key ............................................................................................................... 71
2
4.1.2 Usage of Rest API and API Key (i.e. User Management) ............................................... 71
3
1 INSTALLATION AND INITIAL CONFIGURATION
1.1 INSTALLATION OF THE WAB IMAGE

• Import WAB Session/Password Manager appliance into your virtual environment. Supported
platforms:
o VMware v5.5 and newer
o MS Hyper-V
• Open the OVF file and rename it.
• Note: If on VMWare Workstation following error message is displayed
Following line has to be modified

<rasd:ResourceSubType>VirtualSCSI</rasd:ResourceSubType>
to this
<rasd:ResourceSubType>lsilogic</rasd:ResourceSubType>
Additionally the following line has to be modified as well

<rasd:ResourceSubType>VmxNet3</rasd:ResourceSubType>
to
<rasd:ResourceSubType>e1000</rasd:ResourceSubType>
for all four network devices
4
• Note: if following error message is displayed
delete the manifest file.
• The import of the image takes a while.
• Go to network settings of the imported virtual machine and change the Network Adapter to
Custom (VMnet2). See document ‘TrainingGuide2018 - WCP_MetaData.docx’.
• For now disable the other Adapters.

Note: Do not configure eth1 it is reserved for the heartbeat connection in a high availability
configuration (active/passive).
5
6
1.2 INITIAL CONFIGURATION

• Start the WAB appliance
• To continue with the initial configuration click on OK or press Enter.
7
• Select the appropriate keyboard.
• Type in the initial wabadmin password: SecureWabAdmin
8
• Set the new wabadmin password and confirm it (e.g. WA85u1te)
• Repeat this for the user wabsuper.

• Confirm to use the password for the grub user as well.
9
• Finalize the password setting process with OK.
• Next step is to configure the hostname and network.
10
• First select Hostname and hit Enter.
• Type in the hostname you want to use then select OK and press Enter.
11
• Select Eth0 and press Enter
• No use of DHCP
12
• Enter IP address, gateway and netmask.
13
2 FIRST LOGIN
• Login with …
o UID: admin
o PWD: admin
• Encryption on WAB – this passphrase is used to salt our encryption key with which the data
are encrypted. This means that the data can only be read both secrets – the encryption key
and the passphrase.
Note: When a passphrase is set on every reboot an admin has to put in the passphrase
otherwise no logon to targets can be made.
14
• Check if local password policy meets your needs
• Set new password for admin
15
• Check network settings
• Setup time service
16
• Setup email server
• Configure remote storage
17
• Choice can be made between NFS and CIFS
• If CIFS is used selection of different protocol version is possible.
• Note:
CIFS – The ancient version of SMB that was part of Microsoft Windows NT 4.0 in 1996. SMB1
supersedes this version.
SMB 1.0 (or SMB1) – The version used in Windows 2000, Windows XP, Windows Server 2003
and Windows Server 2003 R2
SMB 2.0 (or SMB2) – The version used in Windows Vista (SP1 or later) and Windows Server
2008
SMB 2.1 (or SMB2.1) – The version used in Windows 7 and Windows Server 2008 R2
SMB 3.0 (or SMB3) – The version used in Windows 8 and Windows Server 2012
SMB 3.02 (or SMB3) – The version used in Windows 8.1 and Windows Server 2012 R2
18
3 USE CASES
3.1 USE CASE #1 : FIRST AUTHORIZATION FOR WINDOWS

3.1.1 Define Users Objects
• Define a local user – go to Users/Accounts and click on Add a user.
• Fill in the user name (usrUserA01), the email address (usera01@wallix.com), choose the
preferred language and the profile user. This profile is mainly used to give administrators
access to target systems.
19
Set the password for the user and let Force password change on No. Apply the settings.
• Now create a user group – got to Users/Groups and click on Add a group.
• Define the Group name, move the user usrUserA01 to the Selected Users area and apply the
settings.
20
3.1.2 Define Resources Objects

Note: When directory accounts are used as target accounts define a global domain and add the
target accounts to it. During device definition assign the global domain by selecting it.
3.1.2.1 Global Domain
• Go to Resources/Domains and click in the Global type section on Add a global domain. Name
the global domain, define the real name and save the settings.
21
• To add an account to this global domain click on Add an account.
• Fill in the values as can be find in the screenshot and save the setting clicking on the Apply
button
22
• Go to Resources/Devices to do the definitions for targets and click on Add a device.
• Go to Resources/Devices and click on the target devWindows01. For local domain use the IP
name of the machine. In addition activate the global domain. Next choose in the Service box
the RDP button. RDP service name, Port and connection policy can be modified and sub
protocols of RDP can be enabled/disabled.
Furthermore more than one protocol can be defined for one target for example if a SSH
server runs on that target as well.
Apply the definitions.
23
• Now to associate the global domain account click on Manage association.
24
• Move the global domain user to the Selected Accounts area.
• Then go to Resources/Groups and click on grpWindows01. Move here the global domain user
to the Selected Target accounts area.
Note: Suggested best practice will be to create the global domain before starting to create AD/LDAP
target devices. In that case the global domain can be activated with target device creation. Which
means less work.
25
3.1.2.2 Local Domain and target accounts

• Create a privileged account for this target – go to Devices/Accounts and click on Add an
account.
• As Account type choose Device. Since there is only one device and one domain they are
automatically selected. Put in the privileged account which should be used and its password.
Disable Automatic password change and Automatic SSH key change. Apply the definitions.
Note; this is the typical shared account/shared password scenario often found at customer
site.
26
• Create a target group – go to Resources/Groups and click on Add a group.
• Type in the Group name, move the privileged account to the Selected Target Accounts and
apply the settings.
Note: What the difference is between Account, Scenario Account, Account mapping and
Interactive login will be explained in a later lab.
• Next create an Authorization – means give the users in group grpUserA access to targets in
group grpWindows01. Therefore go to Authorizations/Manage Authorization and click on
Add an authorization.
27
• Since there is only one User group and one Resource group they are preselected. Give the
authorization a name and move the RDP protocols to the Selected Protocols/Subprotocols
area. Select Enable session recording and apply the settings.
Note: Not only on device level sub protocols (remember) can be enabled/disabled on this
level as well.
• Now everything is done to use WALLIX Session Manager to access the target systems.
Log off as admin and log on as usrUserA01 or use a browser which supports different user
profiles (Chrome, Firefox).
Note: There are two ways to access the target system by the marked icons. With the left one
28
a modified RDP configuration file can be downloaded and stored on the local computer. With
this the Web GUI is not needed anymore double click on the configuration file and the RDP
client is started and is connected to the WALLIX Bastion appliance. The user has to
authenticate himself as a WALLIX Bastion user (here usrUserA01) and WALLIX Session
Manager logs him on to the target system and the user don’t know the target password.
The second icon is the same RDP configuration file but combined with a onetime password
(OTP). That means that no authentication against WALLIX Session Manager is needed. The
OTP is valid for 30 seconds (default setting). Use this to log on to the target system.
• Note: From version 6.0 on the resolution for RDP session can be chosen.
29
3.2 USE CASE #2: ADS/LDAP INTEGRATION

This will be made in two steps.
3.2.1 External Authentication
• Go to Configuration/External Authentications and click on Add an authentication.
• From the Authentication type list select LDAP-AD.
• Fill in the following data

Authentication name: WALLIX Session Manager name for the AD/LDAP connection.
Server: IP address or FQDN of the AD/LDAP server
30
Port: Port of the AD/LDAP server

Base DN: From what level on the search for the users will start (LDAP syntax). In this case
start begins at top level.
User name attribute: For Windows typically sAMAccountName is used
User: Account name in combination with BIOS domain name
Password: Well, password of the account. What else.
Apply the definitions.
3.2.2 LDAP/AD Domains
• Go to Configuration/LDAP/AD Domains and click on Add a domain.
• Fill in the WAB domain name, the LDAP/AD domain name, under the Available
Authentications select LDAP-AD and move the AD-connection to the Selected Authentications
31
area and add the Default mail domain. Save the definitions with the Apply button.
Note: If Default domain is not selected for log in usrADSUserA01@ad.wallix.com has to be
used. If it is selected usrADSUserA01 is all what is needed.
3.3 USE CASE #3: MAP AD-GROUPS TO WALLIX SESSION MANAGER GROUPS
• Go to Users/Groups and click on grpUsers01. To modify the group settings click on Edit this
group. Choose the LDAP/AD domain (here only one exist and is preselected) and for Profile
the profile user. The LDAP group needs to be defined in LDAP notification. Finally click on the
plus sign and apply the settings.
• Note: To verify whether the connection to the AD/LDAP is working go to Users/Accounts and
switch to the defined domain. When users are listed the connection to the AD/LDAP works
fine.
32
• Log in as an AD user – if the defined domain in the LDAP/AD domains definition is not set as
default user name plus domain name needs to be used.
33
• Otherwise use the user name only.
• Since the AD group is mapped to grpUsersA the AD user has the same target assigned as the
local user usrUserA01.
3.4 USE CASE #4: DIFFERENT ACCOUNT TYPES FOR SESSION MANAGER
• Go to Resources/Groups and click on grpWindows01. To modify the group click on Edit this
group. In the Session Management section leave the setting for the Account button.
34
Click on Account mapping and move the target to the Selected Account mapping targets
section.
Click on Interactive login and move the target to the Selected Interactive login targets
section.
• Save the modifications and click the Apply button.
• Log on as usrADSUserA01@ad.wallix.com.
With the first two targets Session Manager logs in with the privileged user Administrator.
With the second target Session Manager asks for the credentials with which the login should
be done.
With the third target Session Manager logs in with the AD credentials.
35
3.5 USE CASE #5: AUTHORIZATION WITH LINUX

3.5.1 UID/PWD based Login
• Go to Resources/Devices and click on Add a device. Then define the Linux target as seen in
the screenshot and save it with Apply.
• To create the target account go to Resources/Accounts and define the root target account as
shown in the screenshot. Deselect Automatic password change and Automatic SSH key
change. Apply the settings.
36
• Go to Resources/Groups create the group grpLinux01 and add the account

root@local@devLinux01:SSH to the area Selected target accounts
• Finally go to Authorizations/Manage Authorizations and add the authorization

authSimpleAccess2Linux. Enable Session recording and apply the settings.
• Logon on as usrUserA01 and test the log on to the Linux target.
3.5.2 SSH Key based Login

Public key for userA02 is already deployed to the account /home/usera02 on the Linux box.
• Create the target account usera02 and import the private key as shown in the screenshot
Note: the key pair has to be OpenSSH or PuTTY based.
37
• Set the passphrase which is WA85u1te and apply the configuration
• Now go to Resources/Groups and open the group grpLinux01. Then add the account
usera02@local@devLinux01:SSH to the Selected target accounts area. Apply the
configuration.
38
• Log on as usrUserA01and test the session to the Linux target.
3.5.3 Direct Logon to Linux Targets

• Using ssh client: take the target account definition and add it to the WALLIX user as shown in
the screenshot.
• Using WinSCP client: define as User name the combination of WALLIX Bastion target account
definition plus WALLIX user.
39
3.6 USE CASE #6: TIME FRAME
• Create a new local user usrUserB01 and a new user group grpUsersB and make the user a
member of this group.
• Go to Configuration/Time Frames and click on Add a time frame.
• Fill in the Time frame name and click on Add period in the Periods box.
Note: by default the session is closed when the time frame ends. If this is not wanted enable
the Do not close sessions at the end of the time period option.
• Define the time frame tfOfficeHours as shown in the screenshot. Click on Create period and
apply the settings.
40
• Go back to Users/Groups and change for the group grpUsersB the time frame parameter and
apply it.
• Go to Resources/Groups and create a new device group grpWindows02 and define the
shared privileged account Administrator@... as a target.
• Go to Authorizations/Manage authorizations and create a new one as shown in the

screenshot and apply it.
41
• Log on as user usrUserB01.
• During the log on process an additional information is displayed regarding the end of the
session.
• Go back to Configurations/Time frames and deselect the current day of the time frame
OfficeHours.
• Log on as user usrUserB01 and start the target session. Information is displayed that access is
not allowed at this time.
42
3.7 USE CASE #7: APPROVAL WORKFLOW
3.7.1 Definition of an Approval Workflow
• Create a new local user usrUserC01 with profile user and a new user group grpUserC and
make the user a member.
• Create a new local user usrApproverC01 with profile approver and a new user group
grpApprovers03 and make the user a member.
• Go to Authorizations/Manage authorizations and create a new authorization as shown in the
screenshot.
• Enable the Enable approval workflow option, make Comment mandatory and Ticket optional,
move the group grpApproversC to Selected Approver groups and set both Quorums to 1.
Apply the settings.
43
• Log in as user usrUserC01. A Request button can be seen in the Approval column.
• With this Request button session in the future can be requested. Click on the button to see
the dialog.
Click on the Start date field and choose the day. Same for the Start time. Fill in the Duration
time and the Comment as it is mandatory.
44
• There is also a way to request an access to a target ad hoc. Click on the right icon.
• The session is started and the dialog to request an access ad hoc is displayed. Fill in the data
and confirm it.
• Information is displayed that the request is processed.
• Every member of the group grpApprovers01 is informed by email. The email contains a link
to WALLIX Bastion appliance. Log in as user usrApprover01 and click on the one approval link.
45
• A pending request can be seen, click on the icon to work on it.
• All information about this request are shown. Fill in a comment and approve the request.
• Go back to the pending session. After a few seconds the session continues and informs how
long this session will last.
46
3.7.2 Different Variants of using ‘Quorum’
• When an approval workflow is used in combination with a time frame the behavior within
and outside of the time frame can be defined different.
The behavior of the screenshot means:
no approval workflow within the time frame
outside the time frame an approval workflow is initiated
• In this situation no approval workflow is initiated at any time.
• Leaving the line(s) empty causes that the approval workflow ad hoc dialog is displayed (see
chapter before) but the request is automatically approved and the approver group gets an
informal email.
3.8 USE CASE #8: APPLICATION INTEGRATION
Note: To integrate applications an additional Terminal Server is used as jump server. As prerequisites
following items has to be fulfilled
47
• ‘cmd.exe’ has to be published with accepting all parameters

• Drive mapping has to be enabled
• Clipboard function has to be enabled
3.8.1 Integration of a simple application
• Go to Resource/Applications and click on Add an application.

• Fill in the data as shown in the screenshot save the settings with Apply.
• Now go to Resources/Accounts and create a dummy account.
48
• Change to Resources/Groups and create a group grpApplications01

• Select the dummy account and move it to the Selected Target accounts list and apply the
settings.
• To define the corresponding Authorization go to Authorization/Manage AuthorizationI and

create the authorization authSimpleAccess2Applications. Activate the RDP protocols by
moving them to the Selected Protocol/subprotocols and select the option Enable session
recording.
• Now logon as user usrUserA01 via one of the icons.
49
• After the RDP session is established the application is started.
• Minimize the application window and see that there is no access to the desktop.
3.8.2 Integration with credentials using virtual channel

• Go to Configuration/Configuration Options/RDP Proxy/Auth channel and type in the virtual
channel name used in the AutoIT script.
50
• The compiled AutoIT script is already copied to the Windows target system and is located in
C:\WABscripts\WABLogonVC.exe
• To create the application got to Resources/Applications click on Add an application
• Fill in the settings as shown in the following screenshot.
51
• Now go to Resources/Accounts and do the settings as shown in the screenshot and save it.
• Change to Resources/Groups open the group grpApplications01 and add the new created
account admin@local@appWABGUI and apply it.
• Login as usrUserA01 and start the login for the application appWABGUI.
• See how the automated login works.
52
3.9 USE CASE #9 PASSWORD MANAGER

3.9.1 Periodical Change of Passwords and SSH Keys
3.9.1.1 Set up Password Change for Linux/Unix
• Create Password Change Policy
• Set policy name, define password complexity and timeframe of periodical change
• Go to local domains for devices.

Note: Local domains are created through the device creation dialog.
53
• Select Enable password change option to activate periodical password change. Define the
administrative account, the change policy, the plugin to be used and the administrative
password.
Note: if no administrative account is defined only the user account itself is used to change
the password.
• Go to Resources/Accounts and activate Auto password change for each user where
passwords should be changed automatically. Here we create a new target account named
usera01 for the device devLinux01 and activate the Automatic password change option.
54
• The password change procedure can be checked at /System/Syslog
• The last password can be found at the Audit section (see screenshots).
55
3.9.1.2 Set up SSH Key Change for Linux/Unix
For this the already existing account usera02 for the device devLinux01 is used
• Go back to Password Management/PasswordChangePolicies and modify the existing policy

as can be seen on the screenshot
• Activate for the target account usera02 the Automatic SSH key change option. For this go to
Resources/Accounts
56
• Again in the Syslog section the change off the SSH key can be seen in addition to the
password change. It can also be seen that the first attempt – done with the usera02 log on –
was not successful. Therefore root was used (‘Needing reconciliation …’) to do the change.
• In the Audit/Account history the last keys are documented.
57
3.9.1.3 Set up Password Change for Windows Domain with Global Domain
This use case addresses the password change of a shared domain user in the whole Windows
domain.
• Create a password policy for the Windows Domain
• In the Resources/Domains section open the existing global domain
• Activate Enable password change option then select Password change policy, the Password
change plugin and define the Domain controller address as IP address or full qualified IP
name.
Note: In this case no administrative account is used to change the password. That means that
WAB Password Manager uses the user account itself to change the password. If you want to
change the password with an administrative account (for example: Administrator) it has to
be defined first under /User/Accounts.
58
• Go to Recourses/Domains and create a new share domain user name dba. Select as Account
type ‘Global domain’ and click on ‘ad.wallix.com’ and add the account.
• Leave the option Automatic password change activated.

Note: In the section Add/delete resource association all targets are managed to which the
user is able to access.
59
• In the System/Syslog and Audit/Account history the password changes can be verified.
60
3.9.2 ‘Check out/Check in’ of Passwords
• Add a Checkout Policy
• Activate the Enable lock option. Define Checkout duration – this is the time the account is
locked and after which the password is changed automatically (when option Change
password at check in is activated). The option Checkout duration extension means based on
this time period the duration can be extended by the user. The option Maximum checkout
duration means how long duration can be at maximum. Activate Change password at check
in when password should be changed after usage.
61
• Activate for the target account dba the password checkout policy. Do this for the usera01
and usera02 as well.
• In the Resources/Groups section open the group grpWindows01. Click on the ‘Password
Management Account’ button and move the dba account to the Selected Accounts area.
62
• Do this also for the accounts usera01 and usera02 in the grpLinux01 group as well.
• Go to Authorizations/Manage authorizations and activate the Enable password checkout

option for marked authorizations.
• Here is how to do it.
• Now log in as user usrUserA01 or usrADSUserA01@ad.wallix.com, got to the password area

and check out the password for the user dba.
63
• The password can now be copied the log in dialog of a RDP client.
• Note: Due to the setting made before the password will be changed on Check in or when the
countdown timer ends.
• With the account usera02 the SSH key can be downloaded.
3.9.3 Email account where changed passwords are sent to

• Create keypair with gpg2 on a Linux box. When it comes to put in the passphrase leave it
empty.
64
• Export public key.
• Export private key.
• Now log in to WALLIX Session & Password Manager as admin, go to Users/Profiles and click
on Add a profile.
65
• Create a profile where only the option Credential recovery is enabled.
• Move to Users/Accounts and create a local user
66
• In addition import the GPG public key to this user.
• The private GPG key needs to be imported to the email account of this user.
• From now on every new created password is emailed encrypted to this email account and
once on day the list of all new created passwords.
67
3.10 USE CASE #10: SESSION & PASSWORD MANAGER

Note: In a normal Windows server situation when a user is logged on for example as Administrator
and another user logs on as Administrator as well the first user is kicked out of his session. This can
cause severe inconsistencies on data and/or system. The following steps shows how WALLIX Bastion
Suite helps to protect an active session.
• Create a Checkout Policy. The Checkout duration can be any figure the session will be
protected as long it lasts.
• Select the Checkout Policy in the account(s) which shall be protected to be kicked out.
68
• This account is already activated for Session Manager.
• Create an Authorization where usrUserA01 and usrUserA02 can log on to this account. Log on
as usrUserA01 and then try to log on as usrUserA02 – the result can be seen in the following
screenshot.
69
• If in the Checkout Policy the option Change password at check-in is selected the password is
changed after every session end.
70
4 APPENDIX
4.1 USING REST API (CURL)

4.1.1 Create API Key
• Log in to WAB appliance and become root.
• Start WAB console issuing the command WABConsole –u admin where the user admin is the
GUI admin user
• Create the API key with the command add_api_key –n “<key name>”
• Copy the key.
4.1.2 Usage of Rest API and API Key (i.e. User Management)
4.1.2.1 Get User

• Run the following command and pipe the result into the file user.json
71
• Check the content of the file
4.1.2.2 Create User

• Open the file user.json and change user_name, email and delete the line "is_locked": false,
before closing.
• Run the following command
• Check in WABSM that the user was created.
72
4.1.2.3 Delete User (TBD)
73

POC GUIDE - V6-v10 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

POC GUIDE - V6-v10 PDF

Uploaded by

Copyright:

Available Formats

Training Guide for WALLIX

Audience: Customers & Resellers

Role: Engineers / Technical Specialists

Author: Walter Karl

1 INSTALLATION AND INITIAL CONFIGURATION

1.1 INSTALLATION OF THE WAB IMAGE

• Open the OVF file and rename it.

• Note: If on VMWare Workstation following error message is displayed

Following line has to be modified

Additionally the following line has to be modified as well

• Note: if following error message is displayed

delete the manifest file.

• The import of the image takes a while.

• For now disable the other Adapters.

1.2 INITIAL CONFIGURATION

• Select the appropriate keyboard.

• Type in the initial wabadmin password: SecureWabAdmin

• Set the new wabadmin password and confirm it (e.g. WA85u1te)

• Repeat this for the user wabsuper.

• Finalize the password setting process with OK.

• Next step is to configure the hostname and network.

• First select Hostname and hit Enter.

• Select Eth0 and press Enter

• Enter IP address, gateway and netmask.

• Check if local password policy meets your needs

• Set new password for admin

• Check network settings

• Setup time service

• Setup email server

• Configure remote storage

• Choice can be made between NFS and CIFS

• If CIFS is used selection of different protocol version is possible.

3.1 USE CASE #1 : FIRST AUTHORIZATION FOR WINDOWS

• Define a local user – go to Users/Accounts and click on Add a user.

3.1.2 Define Resources Objects

3.1.2.1 Global Domain

• To add an account to this global domain click on Add an account.

• Go to Resources/Devices to do the definitions for targets and click on Add a device.

• Now to associate the global domain account click on Manage association.

• Move the global domain user to the Selected Accounts area.

3.1.2.2 Local Domain and target accounts

• Create a target group – go to Resources/Groups and click on Add a group.

3.2 USE CASE #2: ADS/LDAP INTEGRATION

3.2.1 External Authentication

• Go to Configuration/External Authentications and click on Add an authentication.

• From the Authentication type list select LDAP-AD.

• Fill in the following data

Port: Port of the AD/LDAP server

3.2.2 LDAP/AD Domains

• Go to Configuration/LDAP/AD Domains and click on Add a domain.

• Otherwise use the user name only.

• Save the modifications and click the Apply button.

3.5 USE CASE #5: AUTHORIZATION WITH LINUX

• Go to Resources/Groups create the group grpLinux01 and add the account

• Finally go to Authorizations/Manage Authorizations and add the authorization

• Logon on as usrUserA01 and test the log on to the Linux target.

3.5.2 SSH Key based Login

• Set the passphrase which is WA85u1te and apply the configuration

• Log on as usrUserA01and test the session to the Linux target.

3.5.3 Direct Logon to Linux Targets

3.6 USE CASE #6: TIME FRAME

• Go to Authorizations/Manage authorizations and create a new one as shown in the

• Log on as user usrUserB01.