number: isdi-man-07 major rev: 004 minor rev: n/a … isdi-man-07 major rev: 004 minor rev: n/a...

Number: ISDI-MAN-07 Major Rev: 004

Minor Rev: N/A

Page: 1 of 25 Title: Remote Access User Guide

DESCRIPTION OF CHANGES

Justification (required for major revision)

Updated for VMware Horizon (View). Over 30% of document has changed, no rev bars needed per SWP-PRO-03.

Page(s) Description (including summary, reason, initiating document, if applicable)

4-9 Updated for VMware Horizon (View) client installation instructions and logon process details.


Minor Rev: N/A


TABLE OF CONTENTS

Page

1.0 PURPOSE ............................................................................................................................... 3

2.0 REFERENCES ........................................................................................................................ 3

3.0 PREREQUISITES .................................................................................................................... 3

4.0 PRECAUTIONS AND LIMITATIONS........................................................................................ 3

4.1 Responsibility: .......................................................................................................................... 3

5.0 MATERIALS, TOOLS, AND TEST EQUIPMENT ..................................................................... 4

6.0 ACCEPTANCE CRITERIA ....................................................................................................... 5

7.0 PROCEDURE .......................................................................................................................... 5

7.1 PeopleSoft and RSA Token Logon Process ............................................................................. 6 7.2 RSA OnDemand Token First Time Logon and PIN Creation Process ...................................... 8 7.3 VMware Horizon (View) Client Installation .............................................................................. 11 7.4 VMware Horizon (View) and RSA Token Logon Process ....................................................... 16 7.5 NEW PIN Mode ........................................................................................................................ 20 7.5 Next Tokencode Mode ........................................................................................................... 23 7.7 Security Precautions: ............................................................................................................. 24

8.0 DOCUMENTATION ............................................................................................................... 24

9.0 DEFINITIONS ........................................................................................................................ 24

10.0 ATTACHMENTS .................................................................................................................... 25


Minor Rev: N/A


1.0 PURPOSE 1.1 This document provides an overview of the RSA SecurID system and tokens. 1.2 It provides detailed instructions on using the RSA token to obtain secure remote access to

resources on the Energy Northwest network. 1.3 REMEMBER: If Email only is needed, use Outlook Web Access:

http://webmail.energy-northwest.com

2.0 REFERENCES 2.1 Form 26951 “Acknowledgement of Energy Northwest Policies and Procedures for Safe and

Appropriate Use of Remote Access 3.0 PREREQUISITES

3.1.1 Provide completed RSA Form 26951 “Acknowledgement of Energy Northwest Policies and Procedures for Safe and Appropriate Use of Remote Access”

4.0 PRECAUTIONS AND LIMITATIONS 4.1 Responsibility:

4.1.1 For your own protection and for that of Energy Northwest, always take the following precautions.

Please notify the IS Solution Center when access is no longer required. Please return physical RSA tokens to the address below.

IS Solution Center, MD1032 Energy Northwest P.O. BOX 968 Richland, WA 99352

Never reveal your RSA PIN to anyone including Information Services or your Spouse.

Always maintain physical control of RSA token.

If it is possible someone has learned PIN or token is missing, then notify the IS Duty Officer at 509-372-5656 immediately, or call the IS Solution Center (6am-4pm, Monday-Friday) at (509) 377-8400.

Close all open remote desktop sessions and all open internet explorer sessions to company resources. Failure to logoff properly can leave a route open into the corporate network.

Contact the IS Solution Center any time to have questions answered or help is needed with token or access in general.


Minor Rev: N/A


4.1.2 Compliance to Energy Northwest policies including GBP-IS-19 “Remote Access”,

GBP-IS-08 “Password and Pin Standards”, and GBP-IS-24 “Use of Electronic Communication, Intranet and Internet Access” is a condition of access.

4.1.3 Direct any questions on these policies to the IS Solution Center (see contact

numbers above) who will assure contact with the appropriate content experts.

4.1.4 RSA Software and OnDemand tokens are the standard for authentication. RSA hardware tokens are no longer supported and will not be re-issued or replaced when the hardware tokens expire. Users will be required to use RSA software tokens or RSA OnDemand tokens to authenticate to Energy Northwest resources.

4.1.5 RSA software tokens may be installed on mobile devices. RSA OnDemand tokens may be sent via SMS text message or to personal email accounts.

4.1.6 RSA tokens may be issued to EN Employees for access to PeopleSoft from offsite without requiring Manager/Supervisor approval. If remote access to other resources is required, FORM 26951 must be approved by an EN Manager/Supervisor and requires HR review for hourly employees with remote access.

NOTE: The company does not expect, nor does it approve of, casual overtime and/or “off the clock” hours of work by nonexempt employees.

4.1.7 EN does not authorize nonexempt employees to perform “off the clock” hours of

work through such means as accessing any EN electronic applications from home. GBP-HR-19, Premium and Overtime Pay, states, “Nonexempt employees obtain approval before working overtime hours."

4.1.8 Remote Access users who have been inactive for 30 days will be disabled and the related remote access account will be considered for cancellation.

5.0 MATERIALS, TOOLS, AND TEST EQUIPMENT 5.1 The RSA SecurID system uses multi-factor authentication (what the users knows and what the

user has) to provide a highly secure environment for remote access. 5.2 The authentication is comprised of a Personal Identification Number or PIN, and a tokencode

number on the RSA token. 5.3 The RSA SecurID passcode is made up of two factors.

A Personal Identification Number or (PIN) is selected and set at first logon. A RSA PASSCODE is the number currently displaying on the front of RSA SecurID token. The PASSCODE is generated based on the PIN and changes every 60 seconds.


Minor Rev: N/A


RSA OnDemand Tokens include a one-time passcode sent to a mobile device via SMS text message or to a personal email account. RSA Software Token Example:

RSA OnDemand Token Example received via SMS text or personal email account:

6.0 ACCEPTANCE CRITERIA

Compliance with Energy Northwest policies. 7.0 PROCEDURE


Minor Rev: N/A


7.1 PeopleSoft and RSA Token Logon Process

NOTE: This section assumes the RSA token PIN has already been set on a software token or OnDemand Token. If logging on for the first time with an RSA OnDemand token, please follow the steps in Section 7.2

7.1.1 OPEN Internet Explorer again AND ACCESS the remote PeopleSoft Logon site

https://access.energy-northwest.com/HR92PROD/signon.html

7.1.2 ENTER your LAN username in the username field.

7.1.3 ENTER your RSA PASSCODE or RSA OnDemand PIN in the second field.

7.1.4 If using a RSA software token (iPhone/Android) and the PASSCODE is accepted and you will be taken to the PeopleSoft logon page.


Minor Rev: N/A


7.1.5 If using a RSA OnDemand token, the RSA system will text or email you the one-time passcode. Please wait for the passcode to be received and enter the passcode in the "Please enter the next RSA Passcode or OnDemand code" AND CLICK LOGON.

7.1.6 ENTER your LAN User ID and Password to access PeopleSoft.


Minor Rev: N/A


7.2 RSA OnDemand Token First Time Logon and PIN Creation Process

NOTE: This section assumes the RSA token PIN has not been set on an RSA OnDemand Token. If this is the first logon, you will be asked to change the temporary PIN provided by the IS Solution Center. If logging on with a RSA software token (iPhone/Android) or if the OnDemand PIN has already been set, please follow the steps in Section 7.1.

7.2.1 OPEN Internet Explorer again and access the remote PeopleSoft Logon site

https://access.energy-northwest.com/HR92PROD/signon.html

7.2.2 IF the first time logging on with a RSA OnDemand token, THEN ENTER the temporary PIN provided by the IS Solution Center.

7.2.3 IF the first time logging on with a RSA OnDemand token, THEN ENTER a lowercase y AND CLICK the logon button to proceed to the PIN creation screen.


Minor Rev: N/A


7.2.4 ENTER a 4 to 8 digit PIN AND CLICK Logon.

7.2.5 ENSURE the PIN is accepted AND RE-ENTER your new OnDemand PIN.

7.2.6 CLICK Logon.


Minor Rev: N/A


7.2.7 The RSA system will text or email you the one-time passcode. Please wait for the passcode to be received and enter the passcode in the "Please enter the next RSA Passcode or OnDemand code" AND CLICK LOGON.

7.2.8 ENTER your LAN User ID and Password to access PeopleSoft.


Minor Rev: N/A


7.3 VMware Horizon (View) Client Installation

NOTE: The VMware Horizon system provides access to a HTML5 client that can be accessed by selecting “VMware Horizon HTML Access” at the link below, and it does not require a client to be installed. However, the full Horizon (View) client installation is recommended for home machines for best performance. The HTML 5 client may be used, with a compatible browser, to access the site from Hotels, Kiosks, or other systems that may not allow the full client to be installed.

7.3.1 To install the Horizon (View) client, LAUNCH Internet Explorer AND ENTER the

path below:

https://view.energy-northwest.com

7.3.2 SELECT Install VMware Horizon Client


Minor Rev: N/A


7.3.3 SELECT the “Go to Downloads” link for the appropriate operating system. For

example, SELECT “VMware Horizon Client for Windows” for Windows 7 or 10.

7.3.4 SELECT Download.


Minor Rev: N/A


7.3.5 SELECT Run.

7.3.6 SELECT Customize Installation

NOTE: A Customized installation is recommended to enable Skype for Business performance improvements.


Minor Rev: N/A


7.3.7 UNCHECK Log in as current user.

7.3.8 SELECT Virtualization Pack for Skype for Business

7.3.9 SELECT Agree & Install


Minor Rev: N/A


7.3.10 SELECT Launch


Minor Rev: N/A


7.4 VMware Horizon (View) and RSA Token Logon Process

7.4.1 RUN the Horizon client.

7.4.2 SELECT Add Server

7.4.3 ENTER view.energy-northwest.com in the Connection Server field.


Minor Rev: N/A


7.4.4 SELECT view.energy-northwest.com

7.4.5 ENTER your username and RSA passcode AND CLICK Login.


Minor Rev: N/A


7.4.6 ENTER your password AND CLICK Login.

7.4.7 IF prompted, THEN SELECT a desktop.

NOTE: A desktop may automatically appear and you may not be prompted.

7.4.8 SELECT OK to acknowledge the Energy Northwest legal disclaimer.


Minor Rev: N/A


7.4.9 IF the screen resolution needs to be adjusted, THEN SELECT the Options drop down menu.

7.4.10 SELECT the “Switch to Other Desktop” option

7.4.11 RIGHT CLICK the desktop.


Minor Rev: N/A


7.4.1 SELECT the preferred Display option.

. NOTE: By default, Horizon View will use All Monitors. You may adjust the settings under Options, Desktops. The All Monitors options will use full screen on all desktops. The Fullscreen option will use one monitor full screen. You may also select the resize windows button and adjust the screen resolution by dragging the border of the session to your preferred size. The maximize button will resize to full screen.

7.5 New PIN Mode for RSA Software Tokens

NOTE: The first time authenticating with an RSA SecurID token, starts automatically in New PIN mode. This means the system requires a new 4 to 8 digit Personal Identification Number or PIN. This must be done initially and on occasion if prompted by the system in order to associate RSA token with a specific PIN number chosen by the user.


Minor Rev: N/A


7.5.1 ENTER Login ID in the USERNAME field.

7.5.2 ENTER the RSA SecurID passcode in the PASSCODE field using only the tokencode currently displaying on RSA SecurID token since a PIN has not been created yet.

7.5.3 IF the number on the RSA token is about to expire, as indicated by the presence of only 1 or 2 Token Timer Digits to the left of the number, THEN WAIT until the token has generated a new number before entering it into the PASSCODE field.

7.5.4 IF logon attempt fails,

THEN WAIT for the RSA token code to change before trying again.

7.5.5 After successfully authenticating, CREATE a PIN the first time logging on.

NOTE: The number must be a minimum of 4 digits but can be up to 8 digits in length. RSA software token PINs must be 4 to 8 numbers only and must not start with a zero.

a. FOLLOW the instructions on the page AND ENTER a four to eight (4-8) digit

PIN in both fields.

b. ENSURE the PIN can be remembered without being written down.

c. SELECT Confirm.


Minor Rev: N/A


d. SELECT OK.

7.5.6 For RSA software tokens: a. ENTER the 4-8 digit PIN just created into the application on the phone AND

SELECT the right arrow or enter.

b. The generated number will be the PASSCODE.

7.5.7 For RSA OnDemand tokens:

CAUTION For RSA OnDemand Tokens, enter the PIN provided. A onetime On-Demand passcode will be sent to the address you provided the IS Solution Center.

a. In the PASSCODE field ENTER the 4-8 digit On-Demand PIN provided by the

RSA Administrator.


Minor Rev: N/A


b. WAIT for On-Demand Passcode to be provided by the RSA system.

c. ENTER the On-Demand Passcode in the Next Code field when prompted.

NOTE: The desktop option should now appear or log you on automatically.

7.5.8 IF any trouble is encountered accessing the desktops listed, THEN ENSURE the Horizon client has been installed.

7.5.9 REFER to the Horizon client installation instructions. 7.6 Next Tokencode Mode

NOTE: Occasionally after entering the passcode (PIN and tokencode) correctly, the RSA system may prompt for the “Next Tokencode”. This is to re-synchronize the token with the SecurID server.


Minor Rev: N/A


7.6.1 WHEN prompted for the Next Tokencode,

THEN WAIT until the token tokencode changes AND ENTER the new one. .

7.6.2 IF trouble installing the client is encountered, THEN CONTACT the IS Solution Center for assistance.

7.7 Security Precautions:

7.7.1 IF an unauthorized person learns the PIN OR OBTAINS the RSA SecurID token, THEN this EXPOSES the authorized user to responsibility for actions that the other party takes with the ID, password, or PIN.

7.7.2 IF any issues are encountered connecting, authenticating, or using remote access,

THEN CONTACT the IS Solution Center at (509) 377-8400. 8.0 DOCUMENTATION

Instructions for Software tokens are available at:

iPhone - https://remote.energy-northwest.com/rsa/iPhone.doc

Android - https://remote.energy-northwest.com/rsa/android.doc 9.0 DEFINITIONS 9.1 New Pin Mode - The RSA SecurID server is requesting that you define a 4-8 digit

alphanumeric PIN so it can associate it with your SecurID token. You will be asked to create a new PIN when first issued a token and occasionally if the system needs to re-associate the PIN with your token. You can choose simple PIN’s like abcd or 1234 but don’t. Remember if someone guesses your PIN and is in possession of your token- they have now become you from a system standpoint and will be logged in the system logs that way. You can change your PIN at any time by calling the System Admin.

9.2 Next Token Mode - The system will prompt you to enter the “Next Token”, if it needs to

resynchronize with your token or it suspects you are a bad guy trying to guess the token code. When you are asked for the “Next Token”- look at your token, wait for the number to change and then enter this 6 digit number only- do not enter your PIN when asked for Next Token.

9.3 PIN - Personal Identification Number - The RSA SecurID PIN is a user generated

alphanumeric number between 4 and 8 digits. The PIN when combined with the RSA Token tokencode comprise a 10 to 14 digit Passcode. The user will on occasion be asked to change their PIN definition. The PIN should not be made up of character strings such as 1-2-3-4 or a-b-c-d. Make your PIN something easy to remember for you but difficult to guess by others, and DON’T write it down!


Minor Rev: N/A


9.4 RSA SecurID Token – The RSA tokens provide multifactor authenticator and are available as Software Tokens for mobile phones and as RSA OnDemand tokens sent to personal email addresses or SMS text messages. The RSA tokens are used in conjunction with a Personal Identification Number or PIN to authenticate a person to a secure system. The central SecurID server knows what number should be entered by the user since it is in sync with the user token. If the number and the PIN are what the server expects to see for this time slot, it will grant access to the protected system.

9.5 RSA SecurID - RSA SecurID is a two factor (what you know – your PIN and what you have –

your Token) authentication system used to provide high levels of system access security. 9.6 SecurID Tokencode - The SecurID Tokencode is a six digit numeric number generated by the

SecurID token and the SecurID server. The token and the server are in sync- meaning that the tokencode selected by the server is the same as the tokencode selected on the SecurID token. These change approximately every 60 seconds and are maintained in sync by the system.

9.7 Software Token – A token that runs from an application, usually issued to run on a

smartphone. 9.8 Token Timer Digits - The token timer digits are located to the left on the SecurID token

window. The tokencode is changed approximately every 60 seconds and the timer digits give the user an idea of where the token is in this cycle.

9.9 Windows Domain LoginID - The domain LoginID is the user id that identifies you on the Energy Northwest network- an example would be “jsmith”.

9.10 Windows Domain Password - The domain password is the password you create (and change every 6 months) and use in conjunction with your Domain LoginID to gain access to your Email, your workstation and other corporate applications.

10.0 ATTACHMENTS

None

number: isdi-man-07 major rev: 004 minor rev: n/a … isdi-man-07 major rev: 004 minor rev: n/a...

Documents