Skip to content

Features

New Features v5.4 SP5

Support for HySecure Gateway behind WAF

Previous versions of HySecure Gateway required bypassing all traffic from the Web Application Firewall (WAF). An enhanced App with Hello protocol is implemented to remove this limitation. A corresponding client will be required to achieve the deployment.

To configure the App Connect:

  • Add sites to the Management Cluster

  • Create Site Group

  • Add sites to the Site Group

  • Create an App by selecting Site Group

Limitations:

  • For Turbo-type applications, App Connect is not supported.

  • Sites should be configured within the same cluster.

Hostname-based Reverse Proxy App Support

This release supports the use of Hostname-Based Reverse Proxy (HBRP) applications. The reverse proxy method is used to access HTTP/HTTPS applications via the HyLite portal. Adding HBRP support has simplified the configuration process for reverse proxy rules.

Types of HBRP-based Web application

For HBRP-based Web applications, the access method should be DNS-based (URL Rewriting access method is used for the old web VPN access flow). Further, HBRP-based web applications are divided into two subcategories:

  1. Application FQDN: A Security Officer (SO) or Administrator can provide the required web application hostname as Application FQDN. This Application FQDN must be mapped with the HySecure gateway’s IP address in the DNS server.

  2. Sub Domain: In this method, the application can be configured by providing a prefix with the HySecure gateway’s Authentication Site’s FQDN. The application will resolve to the final FQDN created by adding a subdomain prefix and HySecure gateway’s Authentication site FDQN.

Important

  • The Gateway will not use the application server’s SSL certificate. Security officer or Administrator must configure a valid SSL certificate on the HySecure Gateway which should have SAN (subject Alternate Name) entries of all the FQDN or sub-domain used in reverse proxy applications.
  • Every application administrator must have a separate FQDN pointing to the HySecure Gateway.
  • If WAF is configured, FQDN should be able to resolve on the WAF Server instead of the HySecure Gateway.

Configure HBRP-based Web Application

  1. Modify or add a site into the Sites and add Public IP Address as FQDN (Mandatory for subdomain-based DNS-based reverse proxy application).

  2. Enter all the required details and ensure the FQDN in the public IP Address is valid.

  3. Configure the Authentication site under Settings and ensure that the authentication site is reachable from the gateway. Currently, we need to add and host entry of FQDN used in the authentication site to the loopback address on all nodes.

  4. Add a web Application and enable the reverse proxy feature.

Auth as a Service

This release includes an improved QR code feature for mobile token registration, that supports push notifications and passwordless login to the HySecure gateway. DMS (Device Management System) sends push notifications, while the Device Registration System (DRS) handles the registration of entities (users, services, or devices) within the ecosystem.

Configuration of Auth as Service

Connect to the HySecure Gateway via SSH and enable Auth as Service.

Note

Gateway must have an internet connection as HySecure gateway requests a token from cloud service to connect to auth as service. Auth as Service is configured with this configuration, and the user can choose the new Push notification and mobile token registration flow.

How to register the user for Auth as a Service

User registration to Auth as a Service works with mobile token registration. A HyID policy should be created:

  1. for the mobile token
  2. push notification should be selected as the OTP channel
  3. self-registration should be enabled

On login, the user will be prompted with a 2FA page from which the user can enroll mobile tokens. Users can choose mobile tokens or push notifications from available options.

Users may get the option to display legacy or enhanced QR, described below.

  • Other Authenticator (Legacy QR code): This is an old method of mobile token registration where an old QR is displayed to the user, which can only be used for mobile tokens. This QR can be scanned by the HyID app or any third-party Authenticator app like Google Authenticator or Microsoft Authenticator. In this QR code, a push notification is not supported, and users can only use the OTP to log in with a mobile token.
  • Accops HyID (Enhanced QR Code): Enhanced QR is a new mobile token registration mode supporting a push notification system. With this Enhanced QR code, users can register for Auth as a Service, request a new push notification, and use that device for passwordless login. Enhanced QR code is supported by the new HyID client only. Any other authenticator apps are not supported for mobile token registration.

Once the user profile is registered into the HyID app user, can avail of Auth as a Service and Passwordless login using the HyID app.

Passwordless login

In this feature, the user can log in using an authentication device instead of legacy methods like username and password. The Accops HyID application is installed in the Auth device, and the user is registered for a mobile token.

The passwordless login feature is domain-independent, i.e., if a user who is registered for Domain A selects Domain B while logging in, the user will automatically be logged into Domain A only.

This feature is tightly coupled with Auth as a Service, where the configuration is common for passwordless login.

Auth as a Service must be configured to use passwordless authentication, and passwordless login must be enabled. The user will be displayed an option for passwordless login, as shown below.

After selecting Passwordless Sign in, a QR code like the one shown below will be displayed.

The user needs to scan the QR code from the HyID application where the user has enrolled for a mobile token. Once the QR code is scanned, the user is logged in to the gateway without asking for any other details.

How to register for a Passwordless login

  1. Access HyLite Portal and select Password Less Sign-in.

  2. A link to “register” for Password Less Sign-in and a QR code is displayed. Select the “register” link.

  3. Enter the username and password of the user registering for the Password Less Sign-in and select “Register Device.”

  4. Select the authentication method and request an OTP.

  5. Enter the OTP for verification and select Next.

  6. Select Accops HyID as an authenticator application.

  7. Scan the QR code from the Accops HyID mobile application to register for Password Less Sign-in and select Next.

  8. Enter the six-digit OTP shown in Accops HyID to verify.

  9. The user will be redirected to the login page once clicking the Close button.

Sign in with MFA only

This release introduces a new feature allowing users to verify their identity and log into the HySecure gateway using MFA tokens. Users are not required to enter a password during the login process, making it convenient and secure to access their accounts. For users/user groups who exclusively need MFA to log in, the HyID policy is mandatory.

By default, this feature will be disabled. Enable this feature from Settings > Authentication > HySecure Domains page.

How to sign in using MFA only

  1. Open HyLite Portal in Web Browser.

  2. Enter your username and click on Sign-in. The password field will not be available as the “Enable sign in using MFA only” option is enabled.

  3. Log in using the assigned MFA token.

Device approval through the MDM server

The latest version of HySecure includes support for device approval through a Mobile Device Management (MDM) server. This feature allows devices to be automatically approved for logging into the HySecure Gateway using an external VMware server. The login process is based on the device's status on the MDM server, and successful login requires the device to be registered on the MDM server.

To configure the MDM server, create a manual approval-based Device ID policy using the Motherboard serial number as the device parameter and Endpoint URL, Client ID, Client Secret, and Endpoint API Key details from the MDM provider.

Multiple SMS gateway support

From this version onwards, multiple SMS gateways are supported. Security Officers or Administrators add, modify, delete, and set the default gateway. Send test SMS to ensure the SMS gateway settings are accurate.

Additionally, SMS gateways can be assigned to specific users or groups of users through Access Control Lists (ACLs) for sending SMS One-Time Passwords (OTPs) for user login, mobile token registration, and self-service portal. The access control type for SMS gateways has been incorporated into access control, allowing a specific SMS gateway to be assigned to a user or user group. If no ACL is created, SMS messages will be sent via the default SMS gateway. Moreover, if an SMS gateway was added before installing the hotfix, it will automatically be configured as the default after the upgrade.

FIDO Authentication

The FIDO (Fast ID Online) specifications enable Multi-Factor Authentication (MFA), adding an extra security layer. Our system now supports user login using various methods such as Windows PIN, Windows Biometric, and FIDO Security Key. FIDO stores personally identifying information, such as biometric authentication data, locally on the user's device rather than in a password database. This helps to enhance security and protect user privacy.

Note

This feature is only supported through the HyLite portal with a valid SSL certificate.

To configure FIDO Authentication, create HyID Policy for FIDO Token as the 2FA option.

Make sure that either Windows Pin, Windows Biometric, or Security Key settings are enabled on your device. For example, go to Windows > Accounts > Sign-in Options and activate Windows Pin.

Users must register and validate their device from the HyLite Portal when logging in for the first time after configuration. Users can register their device with Windows PIN, Biometric, or Security Key.

Stale User Management

A new feature, Stale User Management, has been added to enable the Administrator/Security Officer to automatically revoke policies and registered profiles of users deleted from the Active Directory/LDAP Server.

Item Description
Download the last scan report To download the results of the previous scan.
Select Authentication Server Select the server that the deleted users belonged to.
Scan Stale users Stale users will undergo scanning without any remedial action.
Send notifications Scan report will be sent by Email to Security officers and Administrators.
Save as report on gateway Scan report will be stored in the HySecure gateway and be downloaded onto a computer.
Remediate Stale user references User references will be removed from HySecure Gateway
User Profiles Stale registered users will be disabled/deleted from HySecure gateway.
Remove Reference from ACLs Stale users will be removed from all ACLs in the HySecure gateway.
Remove Reference from HyID Policies Stale users will be removed from all HyID Policies in the HySecure gateway.
Remove Reference from My Desktop/File Share applications Stale users will be removed from all My Desktop/File Share applications in the HySecure gateway.
Remediate using last scan User references will be removed from the HySecure gateway based on the last scan operation.

Note

Stale user references will not be removed from the below modules and must be done manually:

  • App Tunnel and Turbo Tunnel Pool

  • Access Devices

  • Hardware tokens

  • My Desktop and Files-based applications.

Ability to export policy data

The latest update of the HySecure management console has introduced the ability to download policy data. A security officer or administrator can now export Applications, Application groups, HyID policies, Access controls, and Host scan policies in CSV format by simply clicking the Export button.

Ability to view HySecure service status

From this version onwards, it is possible to check the status of important services from the Diagnose section of the Management Console. Additionally, it has the added feature of allowing users to start, stop, or restart applicable services.

By clicking the "Advanced" button, the Security Officer or administrator can access a detailed view, as shown in the image below.

Configuration Parameters

HySecure Management Console now includes a new sub-menu - Configuration Parameters, in the Diagnose menu. This section suggests optimal values to enhance the performance of the HySecure gateway based on the current configuration parameters. Currently, optimization is only possible through SSH by manually changing values.