Skip to content

New Features

New tunneling method: Turbo tunnel for L3 VPN

HySecure Turbo tunnel is the new tunneling mechanism that works at the L3 level to route IP traffic from the end user's machine to the corporate network over a UDP-based tunnel. When enabled, a virtual IP address will be assigned to the end user's PC. This will allow TCP, UDP or ICMP traffic to be exchanged between the end user's PC and the corporate network. The Turbo tunnel feature will provide enhanced support for real time applications like VOIP apps and heavy graphics apps over VDI. Turbo will also provide better performance for VDI users. Applications that needed reverse connection (a connection originated by the server-side application towards end users) will now be supported by the Turbo tunnel feature. Turbo tunnel can be enabled for a specific application or for specific users. It works over UDP protocol, providing higher performance.

Support for AD/LDAP failover

This build allows the Administrator to configure failover AD or LDAP servers for better availability of the authentication and authorization server. If the primary authentication server is unavailable, either due to a network failure or server down time, one of the failover authentication servers will assume the function of the primary server. This ensures high accessibility for operations like user authentication for login, fetching user lists for application access, or any operations that need to connect to the authentication server.

Support for facial and fingerprint biometric verification as one of MFA options

In confluence with Accops BioAuth, the Administrator can configure for the user to provide biometric details as part of multi-factor authentication. Currently, support for both facial and fingerprint verification mechanism is supported. Visit Accops BioAuth for more details.

Support for continuous monitoring of a user working on logged in device

In confluence with Accops BioAuth, the Administrator can configure to periodically monitor user environment through a webcam within preset time intervals to check for the presence of unauthorized people, and prevent security concerns like shoulder surfing, identity impersonation. Visit Accops BioAuth for more details.

Automation of device identity check using a customer owned service

When manual review and approval for devices is configured, the devices connecting to the HySecure gateway must be approved prior to the end users being allowed access to any apps from this device. This manual approval process creates an additional burden on the IT team to approve each device.

For any organization that already has a service or database that records corporate device identification and can provide approval status based on device properties, it is possible to configure the HySecure gateway to communicate with the service and approve devices automatically without manual intervention of the Admin. HySecure can make an HTTP call to the external service with the MAC ID, Motherboard ID, hostname of the incoming device. The service can confirm the identity using these properties. This feature is disabled by default. To enable this feature, go to Settings → Global → Servers in management console.

!!! Note:

 The default script for validation does nothing and does not approves any devices. In order to utilize this feature, the script /home/fes/pyapp/validateMACForUser.py needs to be customized to communicate with the device approval service.

Device approval for a user in the organization

Support is added now to approve a device logon for any user in the organization/realm instead of a specific user. This is useful for deployments where the devices are owned by the corporation and are shared between multiple users, needing manual approval. Rather than approving the same device for each user, the device can now be approved for any authenticated user to be allowed to use the device. This feature is disabled by default to ensure consistent behavior with previous versions. It can be enabled from Settings→Global→ Server.

MFA using Push Notification on mobile and PC

With this release, the HySecure gateway has the capability to send notifications to the HyID app installed on a user’s mobile phone or PC for seamless MFA. The Administrator is now able to configure the MFA policy as

  • To allow users to authenticate by sending consent from HyID apps.
  • To get consent, authentication needs to be accompanied by an additional security token. Possible tokens could be

▪ SMS OTP

▪ email OTP

▪ mobile token

▪ PC token

▪ hardware tokens

▪ biometric token

  • When using the mobile app, the consent authentication is approved via a single click.

  • When using a PC, the consent authentication would require the user to enter an additional token, unless the PC is registered with a PC token.

Geo Location collection of the end user's phone from HyID mobile Applications

Newer versions of the HyID mobile apps support sending the device’s location to the HySecure gateway along with consent. This build allows Administrators to monitor the location of devices and the consent being received. Administrators can choose to deny the login request by users who do not accept the location sharing permission. Logs contains following information.

• The type of client used to approve the consent

• The location details of the device like longitude, latitude, address and PIN code

• If no location is received or if the user approves consent without allowing the location to be sent, HyID logs will record it as "No location received from client".

Configuration of the above feature can be using the command line modification file /home/fes/fescommon/public_host.conf

  • IsLocationMandatory: Set tag value as TRUE to set the sharing of location as mandatory. The User will not be able to login if he/she denies location sharing. If set as FALSE, the user will have the option to not share their location.

  • CollectLocation: Set tag value as TRUE to enable collection of the location from the end user.

CAPTCHA support during Login page and on Self-Service Portal

A new CAPTCHA with enhanced security to prevent brute-force attacks can now be configured on the login page and the self-service portal. The CAPTCHA can be enabled per-domain basis using the HySecure Domain settings.

The API Protocol version APIv2 must be enabled for the new CAPTCHA feature to work. When APIv2 is enabled on a realm, the web login will always show the CAPTCHA. The older HySecure clients, which do not support APIv2, will fall back to APIv1 and will not show the CAPTCHA. Only the new client with support for APIv2 will show the CAPTCHA.

Improved Multi-tenancy experience for users: Detect Realm Automatically

A single HySecure cluster can be used by multiple organizations or groups within the same organization that have their own domain names, like company1.provider.com and company2.provider.com. The organizations will have their own corresponding HySecure Domains (Realms) ‘company1’ and ‘company2’ configured on the gateway.

The full list of organizations need not be provided to all the users of every organization any longer as it is now possible to configure the domain name or URI corresponding to each organization separately. The end user will be able to access their own organization’s login page directly, irrespective of other realms configured on the gateway. This can be done by configuring the desired domain name and URI in the HySecure Domain settings.

Additionally, the feature can be enabled/disabled from within the Global Settings. The configured hostname or URI can be used to access the organization’s login page directly, either via a browser or via the HySecure client. Thus, accessing company1.provider.com or provider.com/ra/company1 will directly take the user to company1’s login page and will not show the full list of organizations.

Customizable Client setting for individual User, Group or OU

Previous versions of the HySecure gateway allowed client settings to be applied for all users at a global level. In this release, support for creating a set of settings and applying a set to users, groups or OU is added. It is possible to define multiple client setting configurations that can be applied to different subsets of users by defining a new type of ACL called “Client configurations”. This ACL can be applied to specific users, groups of users or a realm.

To facilitate this, client settings are restructured into 1. Global -> Client settings: These are settings needed by clients before the user is authenticated and are independent of user identity or membership. These settings are applicable at a global level for all users and all realms. 2. Policies -> Client Profile -> Default Configuration: A Default client configuration set is available that is applicable to all users. Options in this set can be customized. There is no overlap between the “Global Client Settings” and this set. 3. Policies -> Client Profile -> Client Configuration: A new client configuration object can be created, inherited from the default configuration. One or more options can be modified in the newly created client configuration object, while unmodified options can continue to be inherited from the default settings, reducing the Admin's management burden. This newly created client configuration object can now be applied to different users/group/OU under the Client Configuration ACL.

Note

When there is no Client configuration ACL applicable for a user, default settings will be used.

Named User License support

With this release, licenses can have an entitlement based on the “Named User”. When a Named user license is applied, the following users will be counted as licensed users: 1. Any user that has logged in, has a profile created on HySecure and is listed under “User Profile”. A user profile which is disabled/blocked is not counted as licensed.

The following users are excluded and are not counted under the Named user license: 1. HySecure Admin: Security officer, Administrators, monitoring users 2. Any user blocked on HySecure under the User profile tab

It is possible to switch from a Concurrent user license to a Named user and vice versa. If the number of user profiles is greater than what is allowed under the applied Named user license, then the following actions shall be taken:

▪ A set of User profiles are disabled so that the count of enabled user profile matches the number of Named user licenses installed

▪ User profiles are disabled in descending order from the last login. Inactive users will be disabled.

▪ Security officer and Administrator level users are never disabled.

Configuration Sync between multiple sites

When an organization has multiple HySecure clusters deployed in multiple datacenters, it is expected that user should be able to login from any location and access the resources available at that site. To enable such seamless mobility, the multiple clusters should be in sync with each other. The multi-site synch function enables syncing of configurations and user data across multiple clusters, even when they are geographically distributed.

Once the multi-site sync is configured and enabled, the user need not be onboarded separately on each site. Onboarding on one site will ensure smooth access across all sites. In the Multi-site sync module, one site plays the role of the Management cluster and remaining sites play the role of Site-participants. The Management cluster takes care of creating the cluster for sync, preparing each site for the sync, initiating the scheduled sync process and generating alerts. A Management cluster can serve users too, just like any other HySecure cluster, with the additional function of syncing configurations across other sites. A Management cluster needs network access and outbound connection to the other sites.