SafeNet Authentication Service

(SAS)

POC - Prerequisites

Prepared By: Hazem Moftah

Date: 01/09/2018
Customer Responsibilities

The Customer will assign a Project Manager to act as a single point of contact for all issues
related to the engagement and be responsible for:

 Management direction required to meet project deliverables.

 Assignment of responsibilities to SafeNet’s consultant.
 Ensuring availability of information and other resources needed by the SafeNet
consultant to complete his/her assignments.

The Customer’s Project Manager will be responsible for receiving any deliverables created as
a result of this service, managing the process of deliverable acceptance, being the primary
contact for all business decisions, and providing any needed approvals for changes to the
scope and cost of the Service.

The Customer will provide SafeNet with:

 Adequate workspace for each of its consultants, as well as access to telephones,

copiers, faxes, conference rooms, lab facilities, development, and printing facilities as
reasonably necessary for SafeNet to work in the Customer’s facilities
 Technical support in the form of Systems Administration and Network Administration
as required for the duration of the Service
 Copies of relevant configuration and processes documentation
 Access to key technical personnel, in particular those with an understanding of the
business requirements and technical acumen to facilitate SafeNet's delivery of the
Service defined in this POC
 Facilities access and access to relevant internal and external systems as needed
Pre-requisites (System Requirements)

The Customer is responsible for ensuring the following installation pre-requisites (system
requirements) are in place prior to commencing the SafeNet POC engagement:

Service account

Prior to installation of the SAS-PCE server, a dedicated Service Account needs to be

available for use during the installation and for subsequent system configuration.

The SAS-PCE service account must meet the following attributes:

 Member of Domain Users

 Member of Administrators (preferred) or local administration rights on the SAS-PCE
server
 Logon as a service to the SAS-PCE server
 Password never expires

SAS-PCE System Requirements to be prepared by the Customer

Description Windows Quantity

SAS Core Servers – Includes NPS
Role (Radius)
Service Account used for SAS-PCE
installation and system admin
Database Servers
LDAP Directories
Additional Software Components
Processor
Memory
Disk Space
Display
• Windows Server 2008 R2 SP1**
• Windows Server 2012***
1
• Windows Server 2012 R2****
• Windows Server 2016 (64-bit)
Member of Domain Users and
1
Domain/Local admin
MS SQL 2008, MS SQL 2012, MS
1
SQL 2014, MS SQL 2016
Active Directory 1
IIS 7.x
.Net 4.6.2 or recommended 4.7.2 1
in addition to .Net 3.5 as well
Minimum: .4 GHz (x64 processor)
Recommended: 2 GHz or faster
Minimum: 8 GB RAM
Recommended: 16 GB RAM or
greater
Minimum: 800 MB
Recommended: 500 GB or greater
with logging enabled
HD (1280 x 768), 24-bit colour or
higher
Ports

From To Port Usage

SAS-PCE
TCP
Management Management
80, 443
Console Web Portal:
Port 80 and/or 443 can be used for
SAS-PCE
management sessions, provisioning, Self-
Self- Self- TCP
enrolment, Self-service and to service
Enrolment Enrolment 80, 443
encrypted authentication requests from
Portal (DMZ) Web Portal:
configured Agents. For security purposes port
443 (SSL) is recommended
SAS-PCE
TCP
Self-Service Self-Service
80, 443
Portal (DMZ) Web Portal:

MS SQL TCP 1433 – this connection will be initiated

SAS Server 1433
Server (HA) from the SAS server to the MS SQL host
Self-
Users PC / TCP
Enrolment This required for Tokens enrolment
Smart Phones 443
Portal
This is used for connecting the SAS server to
an SMTP server.
Port 25 is used for sending of SAS notification
emails (for example user software token
Customer provisioning, hardware token
SAS Service SMTP/Email TCP 25 assignment/provisioning, OTP by Email,
server operator validation, random PIN issuance),
issuing management alerts (for example user
lockout/unlock, enrolment lockout, license
expiry/capacity, service notification) and for the
receipt-by-email of SAS generated reports.
SAS server SMS provider 80/443 See the SMS provider’s documentation.
Test Windows TCP
Client SAS Server Port 80 This needed in bidirectional
Machines or 443

Supported Browsers

The standard interface with SafeNet Authentication Service or components such as Self-
Enrolment and user Self-Service is a browser. The following browsers are supported:

 Internet Explorer 8, 9, 10
 Firefox 3+
 Chrome

Certain functions may require ActiveX controls and/or JavaScript.

Supported Authenticators for the POC

The following authenticators are supported by SAS-PCE. Verify that at least one type is
available to test/use SAS-PCE OTP authentication:

 e-Token
 Mobilepass+

Grant dial-in permissions for users

In Active Directory Users and Computers, open a user’s properties. Open the Dial-in tab.
Under Network access permissions verify that ‘Allow Access’ is selected.

Windows Server 2008/R2 (64-bit/x64) configuration

 Internet Information Services 7 IIS7 Role with services

o Application Development
o ASP.NET
o Static Content
o Basic Authentication
o Windows Authentication
o Management Tools
 .Net 4.7.2
 .Net 3.5
 Network Policy and Access Server Role (Microsoft NPS RADIUS)
 NTRadPing 1.5
o RADIUS test utility that simulates authentication and accounting requests and
sends them to the RADIUS server making NTRadPing act as a NAS client
o Download NTRadPing 1.5 from
http://www.novell.com/coolsolutions/tools/14377.html
Resource requirements

To assure a timely and efficient proof of concept SafeNet recommends that all parties provide
the allocation and briefing of the following resources:-

Customer Partner
Administrator for SAS X
Delegated manager for SAS X
Network specialist X X
Windows server specialist X X
Database Specialist X X
VPN Specialist X X

The availability of these people at the right time will minimise delays in completing the proof of
concept.