Author: Anna Korobkyna

1. To limit access to your Resource depending on a user’s country, add a Geographic Filter.
2. To limit access to your Resource depending on the login time, add a Time Filter.
3. Then assign the Filter to the Resource that you wish to apply it to.

The number of Filters that you may add depends on the Service Plan you select.

1. How to Add a Geographic Filter

1. Log into your account in Protectimus SAAS Service or On-Premise Platform and go to Filters – Geo Filters.

2. Click the Add Filter button.

3. Enter the Filter Name and select the countries where access to your Resource will be allowed or denied. Then click Save.

4. Assign the created Geo Filter to the Resource. Read how to do this here.

2. How to Add a Time Filter

1. Log into your account in Protectimus SAAS Service or On-Premise Platform and go to Filters – Time Filters.

2. Click the Add Filter button.

3. Enter the Filter Name, specify the time zone, mark the days of the week and specify the time at which access to your Resource will be allowed or denied. After that, click Save.

4. Assign the created Time Filter to the Resource. Read how to do this here.

3. How to Assign Filters to a Resource

1. Go to the Resources page.

2. Find the Resource you need, click Assign, then select a Geo Filter or a Time Filter, depending on which filter you want to assign.

3. After that, select the desired filter from the list that appears, and click Assign.

ATTENTION! .NET Framework 4.7.x is required.

1. Get Registered and Configure Basic Settings

PLEASE NOTE! An SSL certificate trusted on your network must be used to integrate OWA with the On-Premise Platform. An auto-generated certificate created during installation cannot be accepted by the Exchange Server. We recommend using a certificate issued by AD CS via certsrv.

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform.
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

2. Install the Protectimus OWA 2FA Сomponent

1. Download the Protectimus OWA 2FA installer here.
2. Run the installer as administrator.

3. You will see a welcome screen, click Next to continue.

4. Read and accept the terms in the license agreement and click Next to continue the installation.

5. Enter API URL, Login, and API Key and click LogIn.
   
   These parameters stand for:
   • API URL – an address of the API endpoint. If you use SAAS Service API URL is https://api.protectimus.com/. In the case of the on-premise Platform, API URL is a server address, where the Platform is running (for example, https://localhost:8443).
   • Login – the login of your account, the same as for signing in.
   • API Key – you’ll find it in your profile. To access a profile, click the user’s login in the top right corner of the interface, and choose the “Profile” entry from the drop-down list.

6. Resource ID. Choose the Resource you’ve created before the installation. After that click Next to continue.

If you haven’t added the resource yet, add it now. Click Add Resource and enter any Resource Name you wish.

7. Set additional settings:
   • Invalid OTP Message – specify the message text for invalid OTP.
   • General API Error Message – specify the API error message text.
   • AD Group – if you want to add two-factor authentication only for a specific AD group, select that AD group. By default, two-factor authentication will be enabled for all users.
   • Protocol – specify information about the connection protocol. SSL3, TLS1, TLS1.2, and TLS1.3 are supported.
   • Cache Timeout – specify how often Protectimus will contact Active Directory to check if the user requesting OWA access is added to AD. Time must be indicated in minutes. By default, the value is set to 15 minutes, which means that Protectimus will synchronize with Active Directory once every 15 minutes. If you specify a value of 0, the system will contact Active Directory every time a user logs in.
   • OTP Cookie Lifetime – specify how often the end users will be asked to re-authenticate. Time must be indicated in minutes. By default, the value is set to 720 minutes (12 hours), which means that every 12 hours your users will be asked to enter their one-time passwords to continue working with OWA.

PLEASE NOTE! You can also change these settings in the configuration file later.

8. Click Next to continue.

9. Everything is ready for installation. Check the boxes for the modules you want to protect – OWA, Exchange Admin Center, or both of them. Then click Install.

3. Log in to Outlook Web App or EAC with Protectimus 2FA

1. Open your Outlook Web App or Exchange Admin Center.
2. Enter your Username and Passcode, and then click Login.

3. Enter the one-time password from the two-factor authentication token.

PLEASE NOTE! If you use an OCRA token, use the challenge you will see on the authentication page to generate a one-time password.

4. How to Change Settings

5. Username Format Configuration

The user login in the Protectimus service should be in the format of user@domain or DOMAIN\user, where user is the username in AD, and domain is your corporate domain.

<add key="protectimus:is-owa-old-format" value="true" />

true

false

If the parameter is not set

Visit the Tokens page to find more information about the OTP tokens we support. You can mix any types of tokens you need.

PLEASE NOTE! Not to add all tokens manually, you may activate the Users’ Self-Service Portal that allows the users to enroll, register, and manage their Tokens themselves.

ATTENTION! One User can use only one Token for authentication on one Resource. The number of Tokens that you may add depends on the Service Plan you select.

1. How to Add Tokens Manually

1. Log into your account in Protectimus SAAS Service or On-Premise Platform and go to the Tokens page.

2. Click the Add Token button.

3. Select the Token that you want to add. It can be:

• Hardware tokens. Protectimus Two (use the Protectimus Two button), Protectimus Slim NFC (use the Protectimus Slim button), Protectimus Flex (use the Protectimus Slim button),  Yubiko OATH, SafeNet eToken Pass.

• Software tokens. 2FA application Protectimus SMART (use the Protectimus SMART button), any other two-factor authentication app like Google Authenticator (use the Google Authenticator button), delivery of OTP password via email (use the Protectimus MAIL button), SMS (use the Protectimus SMS button), or chatbots in Facebook Messenger, Telegram, Viber (use the Bot token button).

• Universal token. This mechanism allows adding any OATH hardware tokens from other vendors. You need to know the secret key of the token.

4. After selecting the desired type of OTP token, you will need to fill in all necessary fields, enter a one-time password from the token and click Save.

PLEASE NOTE! You can also use the PIN code with any type of tokens you choose. If you activate the PIN code function, the user will have to enter the PIN code in the input field together with a one-time password (before or after a one-time password, depending on the choice of administrator). The one-time password and the PIN should be entered as one string without spaces or any other characters between them. This is an additional level of protection for the user account.

ATTENTION! After adding the token, you need to assign the Token to a specific User and assign a Token with User to the resource.

2. How to Edit Tokens

1. Go to the Tokens page.

2. Find the Token you need, and click on its Name.

3. You will see the page with detailed information about the Token where you can:

• change the name of the Token;
• add / change / delete PIN code;
• temporarily deactivate the Token;
• change the length of the one-time password.

3. How to Deactivate Tokens

1. Go to the Tokens page.

2. Find the Token you need and click on the drop-down list in the Enabled field. You may deactivate the token for:
   • 1 hour;
   • 8 hours;
   • 12 hours;
   • 24 hours;
   • You may also deactivate it permanently by choosing the option deactivate.

ATTENTION! When you disable this parameter, a positive result will be returned for ANY OTP.

4. How to Re-Issue Tokens

1. Go to the Tokens page.

2. Find the Token you need, and click on its Name.

3. Go to the Token Re-Issuance tab, then fill in all the required fields, and click Re-Issue.

5. How to Delete Tokens

PLEASE NOTE! Only the creator or the chief administrator can delete the Tokens.

1. Go to the Tokens page.

2. Find the Token you need, click on the red button with the image of the bin, and confirm your action.

6. How to Synchronize Hardware Tokens With MFA Server

1. Go to the Tokens page.

2. Find the token you need, and click on its name.

3. Navigate to the Token Synchronization tab.

4. Enter two consecutive one-time codes from the token you are synchronizing into the appropriate fields and click Submit.

• In Protectimus Cloud Service, you can add the Users manually or import the Users using a CSV file.
• In Protetimus On-Premise Platform, you can add the Users manually, import the Users using a CSV file, or enable Users synchronization with your user directory. You’ll find instructions on enabling the synchronization of users in the On-Premise Platform section.

The number of Users that you may add depends on the Service Plan you select. If you need to add more Users, please select the required number of Users by customizing your Service Plan.

1. How to Add Users Manually

1. Log into your account in Protectimus SAAS Service or On-Premise Platform and go to the Users page.

2. Click the Add User button.

3. Specify the user Login, other parameters are optional. The User Login must contain only Latin letters, numbers, and symbols _-@∽!#%+.$. Spaces and any other symbols are not allowed. Then click Save.

PLEASE NOTE! If you plan to activate the registration of Tokens through the Users’ Self-Service Portal, your Users in Protectimus system must additionally have a password or an email address on record. A verification code will be sent to the registered email address to allow your users to log into the Self-Service Portal. If a User has both a password and a registered email address, that User will use the password to log in. After a Token is issued for a User and assigned to a Resource, the User will also be asked for an OTP password from the Token when logging in to the Users’ Self-Service Portal.

2. How to Import Users

1. Go to the Users page.

2. Click the Import Users button.

3. Create a CSV file according to the instructions that you will see.

Example:

login, email, phoneNumber, firstName, secondName, resourceName1, tokenName1, resourceId2, tokenId2
John, [email protected], 9990000001, John, Smith, matrix, smartToken, office, 901
Steve, [email protected], 9990000002, Steve, Stevenson, office, , , 79

4. Attach your CSV file and click Import

3. How to Assign a Token to a User

1. Go to the Users page.

2. Find the User you would like to assign a token to, click on the button Assign Token:

• if you have not created a Token yet, choose New, and add a token;
• if you have already created a Token (for more information see the Tokens section), choose Existing, then select the required Token and click Assign.

4. How to Deactivate a User’s Token

1. Go to the Users page.

2. Find the User you need and click on their Login.

3. Go to the Tokens tab.

4. Click the Cancel button and confirm this action.

5. How to Edit Users

1. Go to the Users page.

2. Find the User you need to edit and click the blue button on the right.

3. You will be taken to the Edit User page where you can make changes.

6. How to Delete Users

1. Go to the Users page.

2. Find the User you would like to delete and click on the red button with the image of the bin.

3. Confirm the action.

Resources serve as a means to group Users. For example, if you need to protect the users of various web projects or the employees of different departments, you may add several Resources.

The number of Resources (projects) that you may create depends on the Service Plan you select. If you need to create more Resources, please select the desired or required number of Resources by customizing your Service Plan.

1. How to Add a Resource

1. Login to your account in Protectimus SAAS Service or On-Premise Platform and go to the Resources page.

2. Click the Add Resource button.

3. This will take you to the Resource adding page, where you’ll need to specify just a Resource Name and click Save, the remaining parameters are optional.

• Webhook URL. Whenever there is an update for the Resources, we will send a POST request containing a JSON update to the specified webhook URL. In case of an unsuccessful request, we will give up only after a reasonable amount of attempts. Currently, webhook is used to receive the result of INTERACTIVE authentications. INTERACTIVE authentications are supported by Protectimus Bot token.
• SSL certificate. The public key certificate certifies the belonging of the public key to the indicated webhook. The certificate supplied should be PEM encoded (ASCII BASE64), The pem file must contain only the public key beginning with “—–BEGIN CERTIFICATE—– ” and end with “—– END CERTIFICATE —–“
• Allowed IP Addresses. Allows you to restrict access to the system only from trusted IP addresses.
• IP Verification is Enabled. Enables the restriction of access to the system only from trusted IP addresses.
• Number of Unsuccessful Login Attempts before Locking. The value of this parameter should be specified between 3 and 10. If a User or Token is not authenticated successfully, the number of failed authentication attempts will be increased for this User. When the threshold number of failed attempts for the specified Resource is exceeded, this User will be locked. A User can be unlocked through the web interface or the API (the edit user method). If a User is authenticated successfully, the number of failed authentication attempts will be set at zero, if the threshold number of failed attempts for the specified resource is not exceeded, and if this User has not yet been locked.
• Enabled. Allows you to enable or disable the Resource.

2. How to Edit a Resource

1. Go to the Resources page.

2. Select the desired Resource and click on the blue button on the right.

3. You will be taken to the Resource settings page where you can make changes.

3. How to Delete a Resource

A Resource may be deleted only by the Administrator who created it or by the chief system administrator.

1. Go to the Resources page.

2. Find the Resource you are going to delete, click on the red button with the image of the bin.

3. Confirm the action.

4. How to Assign Users and Tokens to Resource

Users and Tokens must be assigned to the Resource, otherwise Users will have no access to this Resource and Tokens won’t work. The method of assigning a User to a Resource depends on the authentication method selected. Protectimus supports several user authentication methods:

1. User authentication with a static password. This method requires that a User should have a password, and that this User should be assigned to the Resource.
2. User authentication with a one-time password. This method requires that a User should have a Token, and that this User should be assigned to a Resource WITH this token. This method will not work if a User and a Token are assigned to a Resource separately from each other.
3. User authentication with a static password and a one-time password. It is a combination of the two methods described above. A User must be assigned to a resource WITH a token. This User must have a password. If a User’s Token is deactivated, OTP authentication will not be performed, in which case only this User’s static password and this User’s compliance with the filters’ requirements, if any, will be authenticated.
4. Token authentication on a resource. This method allows you not to assign a Token to any specific User, but simply to verify the validity of a one-time password generated by the Token. This method requires that a Token should be assigned to a Resource.

1. Go to the Resources page.

2. Find the Resource you need, click Assign, then Token with User (make sure that you’ve already assigned your Tokens to Users).

PLEASE NOTE! You may assign only Users or only Tokens if you choose User authentication with a static password or Token authentication on a resource.

3. Select the Tokens that should be assigned to the Resource and click Assign.

There are two options in the distribution of Protectimus Two-Factor Authentication Server:

• Cloud Service – a cloud-based (SaaS) solution, which enables you to have an easy start and to maintain the authentication infrastructure effectively.
• On-Premise Platform – an on-premises solution for installation in the customer’s environment to handle all the processes. You’ll find instructions on installing the Protectimus On-Premise Platform in our Protectimus On-Premise Platform Installation Guide.

ATTENTION! We suggest you start testing Protectimus two-factor authentication system by setting up the cloud service. Switching between cloud and on-premise authentication servers is as simple as changing a few strings in the configuration file.

1. Getting Started with Protectimus’ Saas Service

2. API Activation in Protectimus’ SaaS Service

3. Integration

4. Basic Settings

1. Adding Resource;
2. Adding Users;
3. Adding Tokens;
4. Assigning Tokens to Users;
5. Assigning Tokens with Users to a Resource.

• Adding Administrators;
• Setting up the Users’ Self Service Portal;
• Adding and assigning Geographic and Time Filters;
• Setting up Intelligent Identification;
• Setting up Notifications about important events;
• Changing security settings for your own account in Protectimus Service.

See detailed instructions on setting up Protectimus two-factor auth system in the Admin Panel Overview section.

The Protectimus On-Premise Two-Factor Authentication Platform can be installed on your private servers or in your private cloud.

• Private server installation requirements: Java (JDK version 8); PostgreSQL DBMS, version 10 or later.
• Private cloud installation requirements: CPU: 2 cores, memory: 8 GB; OS: Linux; cloud disk: 20 GB; load balancer.

To ensure uninterrupted operation of your multi-factor authentication server, deploy it to a cluster of several servers (we recommend using at least three nodes). Use a load balancer to distribute the load among them.

To install the Protectimus On-Premise Platform, you can use the installer for Windows or create a Docker Image.

1. Install the Platform creating a Docker Image or using the installer for Windows .
2. Register and activate your license.
3. Set up user synchronization with your user directory (or manually add/import users).
4. Configure basic settings, including adding resources and tokens.
5. Issue and import a trusted SSL certificate.
6. Integrate the platform into your infrastructure.

• How to Update the Protectimus On-Premise Platform.
• Failure Response Plan for the Protectimus On-Premise MFA Platform.

1. Protectimus Platform Installation Using a Docker Image

1. To start installing the Protectimus On-Premise Platform, first of all, download and install docker and docker-compose:

• Docker: https://docs.docker.com/engine/install/
• Docker-compose: https://docs.docker.com/compose/install/

2. Then clone the git repository: https://github.com/protectimus/platform-linux.git

3. Go to the platform-linux/platform directory and run:

docker-compose up -d

4. You can monitor the process of platform deployment using the command:

docker-compose logs -f

5. After the deployment process is complete, the platform will be available at: https://localhost:8443

2. Protectimus Platform Installation on Windows

1. Download and run the Protectimus Platform installer. Check the Platform box and click Next.
   
   If you are going to use RADIUS integrations, and/or OTP delivery via chat-bots in messaging apps Telegram, Facebook Messenger, or Viber, also check the appropriate boxes.

2. Before deploying the Protectimus Platform, Java must be installed on your server. Click the Install button to check for Java. If it’s not installed yet, the latest JDK version will be installed automatically.

3. Also, database management system PostgreSQL (version 9.2 and above) must be installed on your server. Click the Install button to check for PostgreSQL. If it’s not installed yet, the latest PostgreSQL version will be installed automatically.

ATTENTION: You will need to set a superuser name and password during installation. You’ll need this password to login to PostgreSQL later.

Please, remember your superuser name (postgres) and the password you’ll add on this step. This name and password will be required to login to PostgreSQL later.

4. Login to PostgreSQL Database. Enter the superuser name and password you specified during the PostgreSQL installation and click LogIn. Then click Next to continue the installation.

5. Create and Select the database you will use for Protectimus On-Premise Platform.

• Create a new database. Enter the desired database name and click Create.
• Check whether it is created or not using the button List.
• Click the Select button, choose the database you’ve just created, and click Next.

6. Initiate the database. Click Init to execute SQL scripts and initiate your database. This may take some time.

7. Select the folder to install the Protectimus Platform and click Install.

3. How to Get Registered in Protectimus System

4. How to Pay and Activate the License

1. Go to https://service.protectimus.com/en/platform and click Purchase License.

2. Enter your license key into the Licensing Key field and click Submit.

3. On the next step, click on the Pay button.

4. Choose a payment method. If you require an alternate payment method, contact Protectimus customer support.

5. After successful payment click on the Issue Platform License button.
   
   You can also do this on the page https://service.protectimus.com/en/platform by clicking the Issue License button.

6. Enter the key into the Licensing Key field and click Submit. After that, the license file will be downloaded.

7. After receiving the license file, download it to the server and provide the path to the license file in the licence.file.path parameter, in the file named protectimus.platform.properties. Please note that the path to the license file should be indicated with double backslashes (eg. C:\\some\\path\\file).

5. How to Enable Users Synchronization With Your User Directory

1. Login to your Protectimus account, and click: Users – Synchronization – Add LDAP user provider

2. In the Connection section, fill in the details about your user directory.

keytool -import -alias ___ -file '___.cer' -keystore 'C:\Program Files\Java\jre___\lib\security\cacerts' -storepass changeit

DC=domain,DC=local

CN=Administrator, CN=Users, DC=demo, DC=domain, DC=local

[email protected]

3. After filling in details about your user directory, add synchronization attributes.
   
   Click on the Attributes button.
   
   
   Then add your attributes as shown in the example.
   
   Additionally, the OpenLDAP configuration is available from the provided vendors. You can select it in the Vendor field.
   
   
   
   

4. Now configure the Password Encoder setting.
   
   Select an algorithm that matches your configuration. Available algorithms: AD-specific (UTF-16LE), Plain, BCRYPT, SHA256, SSHA256, SHA512, SSHA512, MD4, MD5, SMD5, SHA, and SSHA.
   
   
   
   

5. After successfully adding the user provider, you need to import the users into the Protectimus system and synchronize them with your user directory.
   
   In the Synchronization mode field, you should choose how you would like to import your users.
   
   Importing users can be set up in three ways:
   • Import – will never update user data.
   • Import and Update – will always update user data when possible.
   • Import, Update and Delete – will always update user data when possible. Protectimus users, as well as the software tokens assigned to them, will be removed upon the user’s removal from external user storage.

6. Now configure the Use pagination setting.
   
   When Use pagination is activated, it means that if the number of records exceeds 200 or 500, multiple queries will be used for retrieval. This is due to LDAP typically returning a limited number of entries by default.

7. Set up a filter to be applied during synchronization.
   
   Use this filter to select only the users you want to synchronize.
   
   For example, to import only those users who have the telephoneNumber and mail attributes specified, set up such a filter:
   
   

   (&(telephoneNumber=*)(mail=*))

   
   To import users from a specific group, choose the required group. In our example, it is the Users group.

8. Now configure the Enroll SMS token setting.
   
   When Enroll SMS token is activated, SMS tokens will be enrolled and assigned to your users during synchronization.

9. In the Resource associations section, you can choose the resource to which the users will be assigned during synchronization.
   
   

10. The next step is to enable user synchronization. This can be accomplished in three ways:
    
    
    1. Use the Synchronize now button to synchronize all users at once.
       
       
       You can also select the Synchronize modified button to synchronize only the users who have been modified since the last synchronization.
       
       
       
    2. Use the Synchronize individuals feature to synchronize only the selected users from your user directory.
    
    
    
    3. Or enable automatic user synchronization by activating the Enabled option at the top of the page.
    

6. How to Configure Basic Settings

1. Adding Resource.
2. Adding Users. You can enable user synchronization with your directory or add/import users manually.
3. Adding Tokens.
   
   

   PLEASE NOTE: If you plan to use Protectimus BOT, Protectimus MAIL, or Protectimus SMS tokens to deliver one-time passwords to your users, follow these instructions to set up the OTP delivery methods:

   • Setting Up Protectimus BOT Tokens
   • Setting Up Protectimus MAIL Tokens
   • Setting Up Protectimus SMS Tokens

   Additionally, you can enable the Users’ Self-Service Portal, allowing users to enroll, register, and manage their tokens independently.

4. Assigning Tokens to Users;
5. Assigning Tokens with Users to a Resource.

• Adding Administrators;
• Setting up the Users’ Self Service Portal;
• Adding and assigning Geographic and Time Filters;
• Setting up Intelligent Identification.

7. How To Integrate and Configure the Protectimus On-Premise Platform