Wilco van Bragt - LinkeIn Wilco van Bragt - Twitter rssa 

SMS PASSCODE 8: Enhanced Dispatcher functionality and support for RD Web Access Windows Server 2012R2

In November 2015 SMS PASSCODE released version 8 of their multi-factor authentication product. The new version includes several enhancements and improvements, which are more than worth taking a look at the product again. In this article I will start mentioning the improved and/or new features, followed by a more in-depth part of the integration of the functionality I described in the article Multi Factor authentication with SMS PASSCODE without sending an (actual) SMS, followed by the new functionality of support for multi-factor authentication for the Windows Server 2012R2 RD Web Access.




New features

As the full higher release number is already stating SMS PASSCODE 8 has lots of improvements. I will quickly summarize these enhancements, before we dive into two of them in more detail:

-          Restructured Core infrastructure: several core components are set-up differently, providing a more unified way of approach. The biggest change can be seen in the transmission component, where additional technologies as e-mail and third party dispatcher are now available in the same way as the traditional SMS modems. I will show this next in the article.

-          AD FS 3.0 support

-          Advanced protection for Remote Desktop on Windows Server 2012R2. I also will go into more detail about this feature in this article later on

-          Windows 10 support for the Windows Logon protection

-          Enhanced RADIUS Protection with Multi-CRP support

-          Powerful Integrations to Powerful Third Party Providers

-          End-to-end Support for General LDAP Directories

-          Added Functionality for Customization of Self-service website

Dispatcher enhancements

First let’s go back to a previous article Multi Factor authentication with SMS PASSCODE without sending an (actual) SMS <<LINK>>. In that article I showed how SMS PASSCODE leveraged sending the authentication token via a third party company to an App. The technique and the possibilities were and are very cool, but the implementation was based on several manual actions. In this version 8 SMS PASSCODE embedded the configuration fully into the management console, so the configuration is as easily as you are used of SMS PASSCODE.

The first step is to enable the usage of the Dispatch Connector modules via Settings – General – Misc. Settings as shown in below figure.

Next we can set-up a Dispatcher within the Transmission component, followed by Dispatch Connectors. After selecting Add a new dispatcher SMS PASSCODE has a large list of providers they have build-in into the product. In my case I’m using the Aciscion/Mindmatics technology available as Xura in SMS PASSCODE. After selecting the provider I now only have to fill in the username and password of Acision and connect the Dispatcher to a transmitter host. This can be done during the creation of the dispatcher or later on via Hosts – Transmitter Hosts.

Last step is to add the Dispatcher Connector into a Dispatcher Policy. Open or create a new Dispatcher Policy and via the Dispatch settings you can configure the Dispatch type. Here you can select the just configured Dispatch Connector. Logically the Dispatch Policy need to be assigned to User Group Policy to become active. This way of assignment is now default for all set-up including those who do not have load balance in place. I must admit that this way of working is more logical and is easier to maintain.

As you can see the set-up is much easier and maintainable as the implementation in the 7.2 version. Good to see that SMS PASSCODE integrated this set-up nicely within the GUI.

Let’s continue with the new functionality to protect the RD Web Access for Windows Server 2012R2. For this part we need to run the installer on the RD Web Access server(s). Ensure that no services are selected of SMS PASSCODE in the Core Features program selection. In the next window you can select the Authentication Clients. SMS PASSCODE automatically detect witch clients are applicable for this specific machine. As we want to protect the RD Web Access component, we need to specify the IIS Website Protection client. After this selection SMS PASSCODE automatically detects that there is Remote Desktop Web Access (RD WEB) site was installed/configured and automatically checks the option to enable RD Web protection.

After that the installation continues and the authentication client is installed. What I really love about the SMS PASSCODE product is that the configuration of the clients is minimal. By the detection methodology you only have to configure the connection to the authentication backend services and the shared secret key and you are good to go (after you already tested the connection, so you know in advance that your set-up within SMS PASSCODE is correct).

 

After the installation and the short configuration the solution is fully set and operational (assuming that you already added the users to SMS PASSCODE). The user can connect to your RD Web Access server and will see the logon screen as they are used to be. After entering their username and password, an SMS PASSCODE window will appear where they need to enter their passcode (which is generated on the fly). After entering the passcode they will see the available desktops and/or applications as they are used to be.

Summarization

With the new release SMS PASSCODE made again some big enhancements in their product. I really like the new Dispatcher configuration including the more logical configuration of this part. Also the Windows Server 2012R2 RD Web Access support is a real added value where many customers will like this improvement. As we are used to, again it’s nicely implemented and can be set-up really quickly.