Connection Settings

2X Publishing Agent

On this page you may configure which port to use for the publishing agent service. You can also configure the authentication options.

Connection Settings page – Publishing Agent Tab

Authentication Panel

To make sure that every single client authenticates against 2X ApplicationServer before retrieving the list of published applications, enable ‘Always require user credentials for application list’ checkbox.

To authenticate against a specific Domain/workgroup, select the ‘Domain’ radio button and enter the required domain/workgroup information.

In case you want to select a new domain for authentication, simply click on the ‘...’ (browse) button and select the new domain to be used. You can also use the ‘Default’ button to choose the default domain/workgroup used for authentication.

Select ‘All Trusted Domains’ if you want to authenticate with any trusted domain/workgroup.

The ‘Use client domain if specified’ box is checked by default. This option will allow the user to specify the domain to authenticate by their client (2X Client – General options - Domain). If the client does not specify any domain, and this option is enabled, the authentication is done with the domain specified in the Authentication panel as displayed in the above figure.

When this option is disabled, the clients will only authenticate with the domain specified in the domain field of the authentication panel on the server side.

It is recommended that you check the ‘Always require User Credentials for application list’, so that all users must authenticate before acquiring the application list.

Click on the ‘Clear cached session IDs’ to clear all cached session IDs.

Make sure to click ‘Apply’ to activate the above settings.

Settings Panel

In the Settings panel on the 2X Publishing Agent tab, the 2X Publishing Agent Port (default TCP 20002) uses a specific port to pass information about the published applications available to its clients.

The default port is TCP 20002. Make sure the 2X Secure Client Gateway has access to this port otherwise it will not be able to retrieve the published applications list and load balance the application requests.

The 2X Terminal Server Agent Port (default TCP 20003) is used to communicate with the 2X Terminal Server Agents which should be installed on the terminal servers or Citrix MetaFrame Servers. The 2X Terminal Server Agent provides information to the 2X ApplicationServer over this port.

Settings Panel

NOTE: In case you want to authenticate with a workstation not joined within a domain, you can also authenticate with the local users of the workstation.

In order to specify authentication with a workstation, you must enter [workgroup_name] / [machine_name]. Therefore if you would like to authenticate against a machine named ‘SERVER1’ that is a member of the workgroup named ‘WORKGROUP’, you would have to enter: WORKGROUP/SERVER1 in the domain field.

NOTE: In order to avoid user filtering problems, it is suggested to use the NetBIOS name instead the FQDN in the domain field.

Second Level Authentication

To add two-factor authentication to your 2X ApplicationServer select the ‘Enable second level authentication’ checkbox, and then choose second level provider.

You can choose between the following providers:

Deepnet
Safenet
Radius

Each provider has it own settings.

Click on ‘Settings’ and a new window will open, allowing you to configure your provider settings.

Deepnet Settings

Connection Tab

Enter the server name and port that you saved while setting up your Authentication Server. Click on ‘Check Connection’ to test that your Authentication Server can be reached. You can choose to connect to your Deepnet server over SSL by checking the ‘Enable SSL’ checkbox.

Deepnet Unified Authentication Platform: Connection Properties

Application Tab

Select the application profile that will use Deepnet to authenticate its users in the ‘Application’ field..

The ‘Default Domain’ fields will enable you to choose the default domain used for authentication and when users are added. Any Deepnet user accounts imported or verified will be done so using this default domain

The ‘Use LDAP’ checkbox should be checked if you are importing Deepnet user accounts and groups that contain other sub-groups.

Deepnet Unified Authentication Platform: Application Properties

The ‘Import Deepnet user accounts...’ button will automatically add the specified users/groups into the Deepnet application.

The ‘Verify Deepnet user account names’ button checks that all the users in the Deepnet application are in the following format: \\domain\username.

Users added in the format of username@domain will be automatically changed to the appropriate format and users without a domain will have the default domain assigned to them.

The Deepnet Applications dialog allows you to choose the application which is used by 2X ApplicationServer for authentication. You can also create an application which will be added on the Deepnet server.

Authentication Tab

Deepnet Unified Authentication Platform: Authentication Properties

Select how you want your users to be authenticated.

‘Mandatory for all users’ means that every user using the system must login using two-factor authentication.
‘Create token for Domain Authenticated Users’ will allow 2X ApplicationServer to automatically create software tokens for Domain Authenticated Users. Choose a token type from the drop down list. Note that this option only works with software tokens.
‘Use only for users with a Deepnet account’ will allow users that do not have a Deepnet account to use the system without having to login using two-factor authentication.

From the Allow Channels section, you specify what ‘channels’ are available to the user to activate the token or when requesting a Quick ID OTP.

For example, if you select Email, as the ‘Allow Channel’, activation code can be sent only via Email as shown below.

2X Client – Activate Token via E-mail channel only

Safenet Settings

SafeNet Properties

On the Connection tab, enter your OTP Service URL and then click on the ‘Check connection’ button to verify url connection.

On the Authentication tab, select an authentication Mode.

Modes:

Mandatory for all users: All users use the same log on authentication.
Create token for Domain Authenticated users: A new token is created for each authentication domain user
Use only for users with a SafeNet account: Only users that have access to a SafeNet account will be allowed access.

TMS Web API URL: URL of the safenet server. This is required to be able to create tokens for Domain authenticated users

User Repository: Where the authentication files reside on the server.

Radius Settings

Configuring Radius Properties

The following window shows the connection properties:

In the ‘Server’ text box enter the hostname or IP of the Radius Server.
In the ‘Port’ text box enter the port number for the Radius Server. You can insert the default port (1812) number by clicking ‘Default...’ button.
In the ‘Timeout’ text box, specify the packet timeout in seconds.
In the ‘Retries’ text box, specify the number of retries when attempting to establishing a connection. The global timeout is timeout * retries.
Click the ‘Check connection’ button so that you validate the above connection settings inserted. If the connection settings are configured correctly, you will see the following message:

In the ‘Secret Key’ text box, insert the secret key which must match the secret key specified on the Radius server.
Specify the ‘Password Encoding’, either PAP (Password Authentication Protocol) or CHAP (Challenge Handshake Authentication Protocol), according to the setting specified on the Radius Server. Click ‘Ok’ after configuring the connection settings.

Configuring Radius Attributes

Radius Attribute Value Pairs might be needed in order to authenticate with your Radius server.

To configure an Attribute Value please select the ‘Attribute’ tab:

Click ‘Add’ to add an Attribute to the list.

Select the vendor for the attribute from the ‘Vendor’ dropdown list.
Select the vendor attribute from the ‘Attribute’ dropdown list.
Enter the value for the selected attribute. The value can be a numeric value, a string, an IP or a time value.

Adding Vendor Attributes

In order to manually add a Vendor Attribute, you need to modify the file ‘RadiusAttr.def’. Please find the file in the installation folder of Application Server. The default location of the Application Server is:

C:\Program Files (x86)\2X\ApplicationServer

The following describes how to add a new vendor called “Vendor Example” with 4 attributes values.

Open the ‘RadiusAttr.def’ file with notepad.

2X Application Server – RadAttr.def file.

Increment the count in the ‘Vendor section’ . In this case the count was incremented from 18 to 19.
Add the vendor ID and vendor name as highlighted above. Please note that the id and name tag start with the previous count value.

Create a section under the vendor-Attributes using the id as the name of the section, in this case 777.
Add the count of attributes provided and enter the description for each attribute. Please note that the attribute type must be one of the following:

Type	Value
String	0
Numeric	1
IP	2
Time	3

Verify that the attributes added load properly in the configuration window.

Exclusion Panel

Second Level Authentication - Exclusion Settings

‘User / Group exclude list’ allows you to add users or groups within your active directory that will be excluded from using Deepnet Authentication.
‘Client IP exclude list’ allows you to add IP addresses or a range of IP addresses that will be excluded from using Deepnet Authentication.
‘Client MAC exclude list’ allows you to add MAC addresses that will be excluded from using Deepnet Authentication.
‘Connection to the following Gateway IPs’ allows you to set a Gateway where users connected to the Gateway will be excluded from using Deepnet Authentication.

NOTE: For more information about Deepnet refer to the PDF document, ‘Setting Up Deepnet for 2X ApplicationServer’ by clicking here.

Published Items Listing Tab

The Published Items Listing tab allows you to configure which type and version of the clients available are allowed to list the published items.

The ‘Allow published items listing from All Clients’ button will allow published items from all clients.

Published Items Listing Tab

The ‘Allow published items listing only from’ selection gives the administrator the ability to allow published items only from the specified 2X Client running the build set or higher.

For example, if the user from 2X Windows Client gets application listing from a 2X Client with a build lower than the one specified in the text box above, the following error is seen:

Published Items Listing Tab