Release Notes, Version 22-Oct-2012 - Navisite...NaviSite Managed Cloud Services (MCS) – Release...

October 22, 2012

A Time Warner Cable Company

Release Notes, Version 22-Oct-2012

NaviSite Managed Cloud Services (MCS) – Release Notes – Version 22-Oct-2012 Page | 2

Table of Contents NAVICLOUD APPCENTER RELEASE NOTES, VERSION 22-OCT-2012 ....................................................................3

TWO FACTOR AUTHENTICATION AVAILABLE FOR APPCENTER .............................................................................4 2FA upon AppCenter login .............................................................................................................................. 5 2FA upon Connect To VPN login within AppCenter ........................................................................................ 8 Using Duo smartphone App for 2FA .............................................................................................................. 11

ABILITY TO NAT ALL PORTS FROM A FRONT-END IP TO A BACK-END IP .............................................................. 15

DESCRIPTION FIELD ADDED TO VMS, SEARCH .............................................................................................. 16


NaviCloud AppCenter Release Notes, Version 22-Oct-2012 This document lists selective enhancements, bug fixes, and related changes made to NaviSite Managed Cloud Services (MCS) release version 22-Oct-2012.

This document includes summary details of changes reflected in the AppCenter user interface. Other changes not manifested in AppCenter may be listed as well, in the interest of completeness, but if their descriptions are not keyed to visible features their summaries may as a result be more cursory. In addition to changes documented herein, the release may include undocumented enhancements, optimizations, and fixes to items unperceived and unreported outside of NaviSite.

List of Changes Noted for Release Version 22-Oct-2012

Two factor authentication available for AppCenter

Ability to NAT all ports from a front-end IP to a back-end IP

Description field added to VMs, search


Two factor authentication available for AppCenter This release provides the option for NaviCloud accounts to be configured to require two factor authentication (2FA) login challenges. If your NaviCloud account is configured to enforce 2FA, the additional security comes into effect:

• upon AppCenter login; and • upon Connecting to VPN – Cisco AnyConnect – login within AppCenter.

Two factor authentication requires that system logins employ the use of more than form of authentication. For NaviCloud 2FA the authentication factors are:

• Something you know – User ID and password combination (UID/PW). • Something you have – A device (e.g. mobile phone) capable of receiving calls or text messages,

through which token passcodes can be communicated.

(A third classic authentication factor type, “something you are,” typically involves biometrics and is not currently used with NaviCloud 2FA.)

Under NaviCloud 2FA, users eligible to login know their user ID and password; and have a phone registered to receive authentication calls and token passcodes. A stolen or guessed UID/PW is useless to potential intruders without the correct phone. A stolen or found phone is useless to potential intruders without the correct UID/PW. Thus only users with knowledge and possession of both factors at once can authenticate against system challenges requiring both of the two factors.

Requesting 2FA provisioning AppCenter users with Super Admin privileges can request two factor authentication provisioning through the Account tab’s Features screen (users without Super Admin privileges are not displayed the Two Factor Authentication section of the Features screen):

Figure 1: 2FA request displays, Account tab’s Features screen


The 2FA submission does not automatically or instantaneously switch on the additional security. Instead, it queues a provisioning request for NaviCloud’s engineering team.

Once 2FA provisioning is completed by NaviCloud engineering, AppCenter login will first prompt for 2FA device registration. AppCenter login and Connect To VPN login within AppCenter will subsequently prompt for both authentication factors upon each login attempt – as detailed here below.

2FA upon AppCenter login If your NaviCloud account is provisioned for two factor authentication, the AppCenter login process includes:

• First-time, one-time prompts, through which you enroll a phone for 2FA purposes. • Subsequent login prompts, first for UID/PW authentication and second for token passcode

authentication as communicated through phone and login dialog.

The following screen captures illustrate the 2FA process used for AppCenter login.

First-time, one-time – 2FA enrollment When you sign into AppCenter, the system prompts for 2FA device enrollment, offering these choices:

• Optional installation of app onto smartphone. • Enrollment via phone call. • Enrollment via text message (illustrated below).

Figure 2: Initiating login to AppCenter; prompt to install optional 2FA app.


Note: The remainder of this section’s examples illustrate skipping installation of the App; instead show text message and phone call alternatives. For details on using the Duo App, see dedicated section Using Duo smartphone App for 2FA.

Figure 3: First-time login, one-time enrollment of phone with 2FA security provider; call or text option (text illustrated here)


Subsequent, standard 2FA login prompts

Figure 4_alt1: Subsequent 2FA logins, phone call option: 2FA challenge via receipt of and response to a phone call

Figure 4_alt2: Subsequent 2FA logins, text message option: 2FA challenge/response using passcode received via text message


2FA upon Connect To VPN login within AppCenter If your NaviCloud account is provisioned for two factor authentication, AppCenter’s Connect to VPN facility accessed from the Servers tab issues the following authentication challenges:

• First: Prompts you to login to AnyConnect with your user ID and password. • Second: Prompts for token passcode authentication, as communicated through phone and login

dialog (using the phone enrolled via AppCenter 2FA device enrollment).

The following screen captures illustrate the 2FA process used for Connecting to VPN within AppCenter.

Figure 5: Initiating Connect to VPN from AppCenter Servers tab

Figure 6_alt1: 2FA phone call option: 2FA challenge via receipt of and response to a phone call


Figure 6_alt2: 2FA text message option: 2FA challenge/response with passcode received via text message

The following details illustrate the 2FA process used for authenticating via Cisco AnyConnect desktop client. The desktop client presents the following dialog:

Figure 6_alt3: 2FA via Cisco AnyConnect desktop client

The Second Password field is not presented when 2FA is not enabled on the AnyConnect firewall. If 2FA is not in effect (i.e. is not provisioned on your cloud account) you must enter the word “phone” or “push” into theSecond Password field to get logged in. If 2FA is in effect (i.e. is provisioned on your cloud account), you must enter “sms” in the Second Password field – which results in Duo’s sending via text message a set of passcodes to your enrolled phone. To complete AnyConnect client login, you can then re-enter your cloud Password and specify one of the texted passcodes as Second Password.


Alternatively, if you have the Duo App installed and activated on your smartphone, you can use its “Generate Passphrase” feature and enter the generated value into the Second Password field to get logged in. . For details on using the Duo App, see dedicated section Using Duo smartphone App for 2FA.

VPN connection success indicator:

Figure 7: Connect to VPN login success


Using Duo smartphone App for 2FA When you opt to use the Duo App for 2FA logins, you perform the following steps:

One time:

• Enroll a phone. • Install the App onto the phone. Activate the App on the phone.

Each login:

• Use controls on the smartphone App to enable you to pass cloud UI’s 2FA login challenge.

Enroll a phone: Upon your submission of cloud system UID/PW login credentials, the system displays a dialog from which you enroll a phone as 2FA device to be used for subsequent 2FA logins. Specify phone number in Phone details and select Phone type. Then click the Call me or Text me button. Duo will call or text a 6 digit verification code. Enter the verification code and click the Verify button. When verification is complete, click the Continue button.

Figure DuoApp1


Install and activate App on enrolled phone: The system displays an Install Duo Mobile dialog. Click the Text me the installation link button.

Figure DuoApp2

Duo sends a text to the phone with an App installation link. Open the link in a browser on the phone. The dialog display refreshes to enable its Continue button. Use the text message’s installation link to install the App on your phone. Then reboot your phone. Then click the cloud system dialog’s Continue button. The system displays an Activate Duo Mobile dialog. Click the Text me the activation link button.


Figure DuoApp3

Duo sends a text to the phone containing an activation link. Select the link from the phone and select Activate Duo Mobile. After activation, go into the App on the phone and select Generate Passcode. On the cloud system dialog, specify the generated Passcode in its field press the Verify button. Upon verification, press Continue to login button. System displays successful enrollment screen.

Figure DuoApp4


Use App for 2FA logins to cloud UI: Subsequent to one-time procedures of steps 1-4 above: When logging into cloud UI you can select the dialog’s Duo Push option and press Log in button. On the enrolled phone you receive a Login Request Received message. Choose to View it. The view displays details of the login request. Select the Approve Request button. Your cloud 2FA login completes.

Figure DuoApp5


Ability to NAT all ports from a front-end IP to a back-end IP This release provides a way to specify in one single Network Address Translation (NAT) rule that all ports should map from an external IP to an internal IP.

From the Network tab’s Services screen, the Add NAT Rule dialog invoked when you add a service rule now includes an All Ports option in the select lists for the Public Port and Private Port fields. If the All Ports option is selected as either the public or private port, the dialog locks the other port field to the All Ports selection as well.

Figure 8: Specifying NAT for all ports


Description field added to VMs, search This release provides a field for each VM’s Server Details screen in which you can specify descriptive text (up to 50 characters) to be associated with the VM. Simply click into the area near the VM name on its Server Details display to specify or change a description, and click out of the area when done.

Figure 9: VM description field; adding (or editing) a description; results

The Server tab’s Search facility is enhanced with this release to locate VMs by description as well as by its former targets of VM name or IP.

Figure 10: Search for VMs by description

Table of ContentsNaviCloud AppCenter Release Notes, Version 22-Oct-2012Two factor authentication available for AppCenter2FA upon AppCenter login2FA upon Connect To VPN login within AppCenterUsing Duo smartphone App for 2FA

Ability to NAT all ports from a front-end IP to a back-end IPDescription field added to VMs, search

Release Notes, Version 22-Oct-2012 - Navisite...NaviSite Managed Cloud Services (MCS) – Release...

Documents

Transcript of Release Notes, Version 22-Oct-2012 - Navisite...NaviSite Managed Cloud Services (MCS) – Release...