Workspot, Inc.

RSA SecurID Ready Implementation Guide

Last Modified: September 16, 2013

Partner Information

Product Information Partner Name Workspot, Inc.

Web Site workspot.com

Product Name Workspot

Version & Platform Workspot 2.0.3 for iPad and iPhone

Product Description Workspot helps companies improve productivity by securely connecting users to core business applications and data on their personal mobile devices. Workspot’s patent-pending mobile virtualization solution can be quickly deployed using existing infrastructure. The Workspot solution consists of a client application running on a mobile device together with a cloud-based administration console.

- 2 -

Workspot, Inc. Workspot

Solution Summary

The Workspot Client is a secure mobile virtualization container on the device, which includes a virtual file system and a virtual network. The virtual network provides secure connectivity to the users’ corporate resources while the virtual file system stores documents downloaded on the device.

Workspot Control is a cloud-based service console that an IT administrator uses to configure and manage the applications, VPN connection and policies for mobile users.

Workspot and RSA SecurID

Workspot leverages RSA SecurID authentication provided by SSL VPN gateway appliances and currently supports the following vendors and products:

Cisco Adaptive Security Appliance (ASA)

Dell SonicWALL Secure Remote Access (SRA)

F5 BIG-IP Access Policy Manager (APM)

Juniper Secure Access Series SSL VPN

Note: Individual products may not support all features. Links to RSA’s Cisco, Dell, F5 and Juniper SSL VPN Implementation Guides can be found in the Appendix of this document.

RSA SecurID supported features

Workspot 2.0.3

RSA SecurID Authentication via Native RSA SecurID Protocol Yes RSA SecurID Authentication via RADIUS Protocol Yes On-Demand Authentication via Native SecurID Protocol Yes

On-Demand Authentication via RADIUS Protocol Yes

RSA Authentication Manager Replica Support Yes

Secondary RADIUS Server Support Yes

RSA Software Token Supported Features

Windows Automation No SID800 Automation No OS X Automation No iOS Automation Yes

Android Automation No

File-based Provisioning No

CT-KIP Provisioning Yes

CTF Provisioning Yes

- 3 -

Workspot, Inc. Workspot

Workspot Authentication using RSA SecurID

In Workspot Control, the administrator defines which SSL VPN gateway the mobile user authenticates and connects to, and defines a security policy to enable RSA SecurID. The VPN gateway must be configured to use the RSA Authentication Manager for authentication.

The Workspot client will authenticate using RSA SecurID as follows:

1. Workspot Control sends a security profile with RSA SecurID enabled to the mobile device.

2. The mobile user initiates a login via the Workspot client.

3. The user’s credentials, username and passcode are sent to the VPN gateway to authenticate

using the RSA Authentication Manager.

4. The RSA Authentication Manager may present authentication challenges associated with the

user’s account or token state.

5. The user enters responses to the authentication challenges as required.

6. If the credentials are valid, the user will be authenticated by the RSA Authentication Manager and

a VPN session is created with the VPN gateway. If the authentication fails, the user is denied

access and a session is not established.

Workspot Control

Workspot ClientAuthentication

Manager

?

SSL VPN Gateway

X

1

2

3

45

5

6

- 4 -

Workspot, Inc. Workspot

Partner Product Configuration

Before You Begin

This section provides instructions for configuring Workspot with RSA SecurID Authentication. This document is not intended to suggest optimum installations or configurations.

It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components.

RSA SecurID authentication for Workspot can either be enabled during the Workspot Express Setup or after the basic Workspot account has been configured.

Important: The SSL VPN gateway must be configured to support RSA SecurID authentication before enabling RSA for Workspot. Refer to the appropriate RSA Implementation Guide found in the Appendix of this document.

- 5 -

Workspot, Inc. Workspot

Procedure Overview

Enabling RSA during the Express Setup

To enable RSA SecurID during the Workspot Control Express Setup, select Yes as shown in Screen 1.

Screen 1 Enabling RSA during Express Setup

- 6 -

Workspot, Inc. Workspot

Enabling RSA

If the Express Setup has already been completed, RSA SecurID can be enabled using Workspot Control. First, by adding a new Security Policy, then assigning that policy to the group that will be using SecurID authentication. Refer to screens 2 through 6.

Screen 2 Adding a New Security Policy (1 of 2)

- 7 -

Workspot, Inc. Workspot

Screen 3 Adding a New Security Policy (2 of 2)

- 8 -

Workspot, Inc. Workspot

Screen 4 Assigning the RSA Security Policy to a Group (1 of 3)

Screen 5 Assigning the RSA Security Policy to a Group (2 of 3)

- 9 -

Workspot, Inc. Workspot

Screen 6 Assigning the RSA Security Policy to a Group (3 of 3)

- 10 -

Workspot, Inc. Workspot

Importing a RSA SecurID Software Token into Workspot

The Workspot client supports an integrated token by importing a token into the Workspot client. To import a token, obtain either a SDTID file or CT-KIP URL through the RSA Authentication Manager. SDTID files should be converted to CTF format with the RSA tokenconvertor utility using the –mobile option. See RSA SecurID Software Token Converter documentation http://www.emc.com/security/rsa-securid/rsa-securid-software-authenticators/converter.htm for more information.

Note: This procedure is only required if you have a CTF or CT-KIP link and want to import that token into Workspot. It is not required if you are using an external physical or software token authenticator.

To import a token, click on the CTF or CT-KIP link, on the device where Workspot is installed.

(Screen 1 of 3)

This will launch the Workspot Client and import the token; enter the token file password if needed.

(Screen 2 of 3)

Once the file has been successfully imported, click OK to continue.

(Screen 3 of 3)

- 11 -

Workspot, Inc. Workspot

RSA SecurID Authentication

After RSA SecurID has been configured using Workspot Control, the policy is updated on the mobile device. Any user belonging to the group with RSA is enabled, will be prompted for a RSA SecurID passcode or PIN during authentication, as shown in the following device screens.

Note: Your Workspot home and application screens will look different from the following examples and will be based on the applications defined in Workspot Control.

Note: If using an integrated token, the token must be imported into Workspot before authenticating.

From the Workspot home screen, click any application, such as an internal SharePoint site, which requires authentication using the SSL VPN gateway.

(Screen 1 of 3)

- 12 -

Workspot, Inc. Workspot

RSA Authentication with External Token

To authenticate with a hardware or software token, the user should enter their username, password, and RSA SecurID passcode from the token. Depending on the token configuration, the passcode is typically “PIN + token code” for a hardware token, or the Passcode shown after the PIN is entered into the software token.

(Screen 2 of 3)

RSA Authentication with Integrated Token

To authenticate with the integrated token, the user should enter their username, password, and RSA SecurID PIN.

(Alternate screen 2 of 3)

After successful authentication, the application home page is shown, in this example, SharePoint.

(Screen 3 of 3)

- 13 -

Workspot, Inc. Workspot

Workspot RSA SecurID Authentication Screen Examples

Authentication Screens

The Workspot SecurID authentication screens shown below are with Workspot configured for the Cisco ASA. Other supported SSL VPN gateways display similar authentication prompts.

System generated new PIN prompts

User defined (4-8) alphanumeric PIN

- 14 -

Workspot, Inc. Workspot

Next tokencode

- 15 -

Workspot, Inc. Workspot

Certification Checklist for RSA Authentication Manager

Date Tested: September 16, 2013

Certification Environment

Product Name Version Information Operating System

RSA Authentication Manager 8.0 Virtual appliance

Cisco ASA Cisco Adaptive Security Appliance Software Version 8.0(5)23

Cisco IOS

Workspot 2.0.3 iPad, iPhone iOS 6.1

RSA SecurID Authentication – RSA Native Protocol

Windows OS X Android iOS Other

New PIN

Force Authentication After New PIN N/A N/A N/A N/A

System-Generated PIN N/A N/A N/A N/A

User Defined (4-8 Alphanumeric) N/A N/A N/A N/A

User Defined (5-7 Numeric) N/A N/A N/A N/A

Deny 4 and 8 Digit PIN N/A N/A N/A N/A

Deny Alphanumeric PIN N/A N/A N/A N/A

Deny PIN Reuse N/A N/A N/A N/A

Passcode

16-Digit Passcode N/A N/A N/A N/A

4-Digit Fixed Passcode N/A N/A N/A N/A

Next Tokencode Mode

Next Tokencode Mode N/A N/A N/A N/A

On-Demand Authentication

On-Demand Authentication N/A N/A N/A N/A

On-Demand New PIN N/A N/A N/A N/A

Load Balancing / Reliability Testing

Failover (3-10 Replicas) N/A N/A N/A N/A

No RSA Authentication Manager N/A N/A N/A N/A

GLS / PAR = Pass = Fail N/A = Not Applicable to Integration

- 16 -

Workspot, Inc. Workspot

Certification Checklist for RSA Authentication Manager

RSA Software Token Automation – RSA Native Protocol

Windows OS X Android iOS Other

PINless Token

Next Tokencode Mode N/A N/A N/A N/A

PINpad-style Token

Deny Alphabetic PIN N/A N/A N/A N/A

Next Tokencode Mode N/A N/A N/A N/A

Fob-style Token

16-Character Passcode N/A N/A N/A N/A

Alphanumeric PIN N/A N/A N/A N/A

Next Tokencode Mode N/A N/A N/A N/A

Other

Password-Protected Token N/A N/A N/A N/A

System-Generated PIN N/A N/A N/A N/A

GLS / PAR = Pass = Fail N/A = Not Applicable to Integration

- 17 -

Workspot, Inc. Workspot

Appendix

Software Token SDK Integration Details

Android

iOS

Other RSA Software Token SDK RSA Software Token SDK Version

N/A

1.5

N/A

RSA Software Token Data Display Token Serial Number

N/A

Yes

N/A

Display Token Expiration Date N/A Yes N/A Number of Tokens Supported N/A 1 N/A Provisioning

File-Based

N/A

No

N/A

CT-KIP

N/A

Yes

N/A CTF

N/A

Yes

N/A

Secured by RSA Certified Implementation Guides

Cisco ASA Series Adaptive Security Appliance https://gallery.emc.com/docs/DOC-1167

Dell SonicWALL Secure Remote Access (SRA) https://gallery.emc.com/docs/DOC-2317

F5 Networks BIG-IP https://gallery.emc.com/docs/DOC-1231

Juniper Networks Secure Access SSL VPN https://gallery.emc.com/docs/DOC-1297