Smart Card Support

Smart Card Support
Smart Card Support
© 2017 Bomgar Corporation. All rights reserved worldwide. BOMGAR and the BOMGAR logo are trademarks of Bomgar Corporation; other trademarks shown are the property of their respective owners.
TC:5/2/2017
SMART CARD SUPPORT
Table of Contents
Smart Cards for Remote Authentication
3
Prerequisites
3
Install the Smart Card Driver
4
Install a Jump Client, Jumpoint, or Elevation Service for Elevated Session Start
5
Jumpoint Installation
5
Jump Client Installation
5
Elevation Service Installation
6
Use a Virtualized Smart Card
Use Case 1: Log Into the Remote Computer Using Smart Card Credentials
Use Case 2: Run As the Smart Card User
7
9
10
CONTACT BOMGAR info@bomgar.com | 866.205.3650 (US) | +44 (0) 1628 480 210 (UK/EMEA) BOMGAR.COM
© 2017 Bomgar Corporation. All rights reserved worldwide. BOMGAR and the BOMGAR logo are trademarks of Bomgar Corporation; other trademarks shown are the property of their respective owners.
2
TC: 5/2/2017
SMART CARD SUPPORT
Smart Cards for Remote Authentication
During a support session, a support representative may need to operate with administrative rights in order to effectively
troubleshoot the remote computer. Within environments where security implementations require smart card use for authentication,
Bomgar enables the representative to pass administrative credentials to the remote computer from a smart card resident on the
representative's local system.
Prerequisites
To use Bomgar smart card support through a Jump Client, the following prerequisites must be met:
l
The representative's computer must have a Bomgar virtual smart card driver installed.
l
Each supported computer must have a Bomgar virtual smart card driver installed.
l
Each supported computer must be running Windows Vista or above.
l
Each supported computer must be accessible by a Bomgar Jump Client running in elevated mode.
Bomgar smart card support can be used with the Jump To functionality when the following prerequisites are met:
l
The representative's computer must have a Bomgar virtual smart card driver installed.
l
Each supported computer must be running Windows Vista or above.
Bomgar smart card support can be used with customer-initaited sessions when the following prerequisites are met:
l
The representative's computer must have a Bomgar virtual smart card driver installed.
l
Each supported computer must have a Bomgar virtual smart card driver installed.
l
Each supported computer must be running Windows Vista or above.
l
Each supported computer must have the Bomgar elevation service installed.
CONTACT BOMGAR info@bomgar.com | 866.205.3650 (US) | +44 (0) 1628 480 210 (UK/EMEA) BOMGAR.COM
© 2017 Bomgar Corporation. All rights reserved worldwide. BOMGAR and the BOMGAR logo are trademarks of Bomgar Corporation; other trademarks shown are the property of their respective owners.
3
TC: 5/2/2017
SMART CARD SUPPORT
Install the Smart Card Driver
1. Go to /login > My Account :: Bomgar Virtual Smart
Card.
2. Download the representative installation package and
the customer installation package for the appropriate
versions of Windows.
3. Install the representative virtual smart card driver.
l
l
l
Distribute the representative driver installer to
all representatives within your support center
who require remote smart card functionality.
The driver can be installed manually or via a
software deployment tool.
Once the driver is installed, it creates a service:
Bomgar Representative Service.
4. Install the customer virtual smart card driver. (If Jump
To is used to access the remote system, the customer
virtual smart card driver does NOT have to be preinstalled.)
l
l
l
Distribute the customer driver installer to all
remote computers to which you will need to
pass smart card credentials.
The driver can be installed manually or via a
software deployment tool.
Once the driver is installed, it creates a service: Bomgar Customer Service.
CONTACT BOMGAR info@bomgar.com | 866.205.3650 (US) | +44 (0) 1628 480 210 (UK/EMEA) BOMGAR.COM
© 2017 Bomgar Corporation. All rights reserved worldwide. BOMGAR and the BOMGAR logo are trademarks of Bomgar Corporation; other trademarks shown are the property of their respective owners.
4
TC: 5/2/2017
SMART CARD SUPPORT
Install a Jump Client, Jumpoint, or Elevation Service for Elevated Session Start
When attempting to operate with the credentials on a smart card, the user is prompted to enter a PIN. This UAC prompt is
inaccessible to the support representative if the Bomgar customer client is not already running in elevated mode. It is therefore
necessary to access the remote computer in one of three ways:
l
A Jump Client running as a system service
l
A Jumpoint or local network Jump, using administrative credentials
l
A customer-initiated or Jump session with the Bomgar elevation service pre-installed on the remote system
Accessing the remote computer in elevated mode allows the representative to interact with UAC prompts in order to enter the smart
card PIN.
When attempting to operate with the credentials on a smart card, the user is prompted to enter a PIN. This UAC prompt is
inaccessible to the support representative if the Bomgar customer client is not already running in elevated mode. It is therefore
necessary to access the remote computer via a pre-installed Jump Client, which must be running as a system service, or through a
Jumpoint or local network Jump using administrative credentials. Jumping to a remote computer via an elevated Jump allows the
representative to interact with UAC prompts in order to enter the smart card PIN.
Jumpoint Installation
To install a Jumpoint, see Jumpoint: Set Up Unattended Access to a Network. No special setup is required.
Jump Client Installation
To install a Jump Client in preparation for using smart card support, you must set certain options as described below.
1. From the /login interface of your Bomgar Appliance, go
to Jump > Jump Clients.
2. Configure the Jump Client settings as needed. For
details, see the Jump Clients: Manage Settings and
Install Jump Clients for Unattended Access.
l
l
The connection type can be either active or
passive.
Be sure to check Attempt an Elevated Install if
the Client Supports It as well as Prompt for
Elevation Credentials if Needed.
3. Click Create.
4. From this page, you may email the Jump Client installer
to one or more remote users.
5. Alternatively, select a platform and download the Jump
Client installer to your local system. You may then
distribute this installer to multiple systems for manual
installation, or you may distribute it via a software
deployment tool.
CONTACT BOMGAR info@bomgar.com | 866.205.3650 (US) | +44 (0) 1628 480 210 (UK/EMEA) BOMGAR.COM
© 2017 Bomgar Corporation. All rights reserved worldwide. BOMGAR and the BOMGAR logo are trademarks of Bomgar Corporation; other trademarks shown are the property of their respective owners.
5
TC: 5/2/2017
SMART CARD SUPPORT
Elevation Service Installation
In special cases, you may need a session to start with the
customer client already in elevated mode, or you may need to
elevate the customer client without providing credentials. To
securely elevate the customer client without the prompt,
download the Bomgar Automatic Elevation Service and
install it beforehand on the remote Windows systems to which
you need credential-less elevation access. You must install the
elevation service using an account that has administrative
privileges to the local machine.
When the elevation service runs, it adds to the registry a hash unique to your Bomgar site. Then, when the remote system begins a
session through that site, the elevation service matches the registry hash against the hash in the client. If they match, the client
attempts automatic elevation.
Elevation occurs following the rules set in /login > Public Portals > Customer Client :: Miscellaneous Options. If the rules set for
the customer client do not allow it to elevate automatically, a matching hash will still make the elevation service the means for
elevation when the representative clicks the Elevate button in the representative console. When the elevation service is used,
neither the representative nor the customer is prompted for credentials.
After a Bomgar software update, your site hash changes. Download and run the elevation service registry file to update the registry
hash on systems which already have the elevation service installed. You must run the elevation service registry file using an
account that has administrative privileges to the local machine.
CONTACT BOMGAR info@bomgar.com | 866.205.3650 (US) | +44 (0) 1628 480 210 (UK/EMEA) BOMGAR.COM
© 2017 Bomgar Corporation. All rights reserved worldwide. BOMGAR and the BOMGAR logo are trademarks of Bomgar Corporation; other trademarks shown are the property of their respective owners.
6
TC: 5/2/2017
SMART CARD SUPPORT
Use a Virtualized Smart Card
To use smart card credentials on a remote system, you must Jump to that system, or you must start a customer-initiated session with
a system that has the Bomgar elevation service pre-installed.
If using a Jump Client, the Jump Client must be running in service mode, or the remote system must also have the elevation service
pre-installed with its service running. The appropriate virtual smart card drivers must be installed on both your local system and the
remote system, with their services running.
Alternatively, a system can be accessed using the Jump To functionality from within the representative console. Using the Jump To
functionality does not require the virtual smart card driver to be pre-installed on the customer's system. In this scenario, Bomgar
installs the driver as part of the Jump to the end system being accessed.
Note: The customer smart card driver is ONLY installed during a Jump To push when the representative performing the Jump
has the representative smart card driver installed on their local system.
If using a customer-initiated session, the elevation service must be pre-installed on the remote computer, and its service must be
running. Also, the appropriate virtual smart card drivers must be installed on both your local system and the remote system, with
their services running.
Begin a screen sharing session, and then
click the Smart Card button to access a
dropdown of available smart card readers
on your system.1 Select the reader you
would like to share with the remote
computer. Once the reader has been
virtualized on the remote system, a
message indicating that you have shared this reader is logged in the chat window. The smart card in the selected reader is now
available to use on the remote computer, just as if it were physically present on the system being supported.
Note: Some systems support multiple smart card readers. Because the data gathered from these readers is not useful in
assigning meaningful names, the readers are named sequentially: Reader 1, Reader 2, etc. On any given system, each reader
will always have the same name. Therefore, once you have determined the name of a reader, you can trust that in all future
sessions, that name will always refer to that reader.
The smart card dropdown menu displays the name(s) of the available smart card readers and smart cards, along with an icon
indicating the availability of each card reader or presence of each card:
l
Black icon - Card not present
l
Blue icon - Card present
l
Gray icon - Reader and card not available
Once you have shared a reader, it remains selected and available for use throughout the session, as long as you do not log out the
current user. If you do log out the current user on the remote computer, the shared reader is deselected and must be re-selected if
you need it later in the session.
1If the smart card button does not appear in the screen sharing tool bar, make sure the representative smart card service is running
on your local computer. If the smart card button is present but disabled, make sure the customer smart card service is running on
the remote computer.
CONTACT BOMGAR info@bomgar.com | 866.205.3650 (US) | +44 (0) 1628 480 210 (UK/EMEA) BOMGAR.COM
© 2017 Bomgar Corporation. All rights reserved worldwide. BOMGAR and the BOMGAR logo are trademarks of Bomgar Corporation; other trademarks shown are the property of their respective owners.
7
TC: 5/2/2017
SMART CARD SUPPORT
When screen sharing, use a virtual smart card to perform administrative actions. You can run programs in another user context, or
even log in as a different user.
Also, if the virtual smart card feature is available in a session which is not elevated and a smart card reader has been shared into
the session, then certificates stored on the inserted smart card can be selected and used for elevation.
Note: Elevation performed using this feature takes slightly longer due to the extra transactions required to the virtual smart card
reader.
Note: A smart card reader can be attached to only one active session at a time. From the Smart Card dropdown, you can
deselect a virtualized reader to free it for use in another session.
CONTACT BOMGAR info@bomgar.com | 866.205.3650 (US) | +44 (0) 1628 480 210 (UK/EMEA) BOMGAR.COM
© 2017 Bomgar Corporation. All rights reserved worldwide. BOMGAR and the BOMGAR logo are trademarks of Bomgar Corporation; other trademarks shown are the property of their respective owners.
8
TC: 5/2/2017
SMART CARD SUPPORT
Use Case 1:
Log Into the Remote Computer Using Smart Card Credentials
After Jumping to a remote computer, you may find that the computer is locked. Alternatively, you may need to perform administrative
functions not permitted in the current user context.
Go to the remote login screen, logging out the current user if
necessary. Click the Smart Card button and select a smart
card reader to virtualize on the remote system. The smart card
will now appear as a user login option.
Click the smart card user, enter the PIN, and log in.
CONTACT BOMGAR info@bomgar.com | 866.205.3650 (US) | +44 (0) 1628 480 210 (UK/EMEA) BOMGAR.COM
© 2017 Bomgar Corporation. All rights reserved worldwide. BOMGAR and the BOMGAR logo are trademarks of Bomgar Corporation; other trademarks shown are the property of their respective owners.
9
TC: 5/2/2017
SMART CARD SUPPORT
Use Case 2:
Run As the Smart Card User
While supporting a remote computer, you may need to run a
specific application with privileges not available in the current
user context. Within a screen sharing session, click the Smart
Card button and select a smart card reader to virtualize on the
remote system. Right click the desired application and choose
Run As. From the UAC prompt that appears, select the smart
card and enter the PIN to run the application in the smart card
user context.
Note: Smart card credentials cannot be used to run
elevated tasks from the Special Actions menu.
CONTACT BOMGAR info@bomgar.com | 866.205.3650 (US) | +44 (0) 1628 480 210 (UK/EMEA) BOMGAR.COM
© 2017 Bomgar Corporation. All rights reserved worldwide. BOMGAR and the BOMGAR logo are trademarks of Bomgar Corporation; other trademarks shown are the property of their respective owners.
10
TC: 5/2/2017
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising