G/On 5.4 New Features - New Opportunities

G/On 5.4 Key Highlights

Today’s announcement is focusing on migration of existing G/On 3.x customers to G/On 5:

• Support for the existing Hagiwara H2 and H3 USB Tokens currently used in G/On 3.x
• The new Computer User Token enabling the use of the PC as an authentication factor removing the need for an USB Token (what in G/On 3.x is called “G/On Desktop”)
• G/On Client Installation package for Windows for easy distribution of the G/On software client
• New optional feature, Field Enrollment, for remote enrollment of authentication tokens including the enrollment of Computer User Tokens on individual PCs
• Support for local users on the G/On Server (Microsoft AD no longer a requirement)
• New features in G/On Management
• Use of FIPS 140-2 validated Crypto++ encryption library
• Client side support for the Linux OS Fedora 12
• Access to applications on Citrix XenApp server/farms through the Citrix XML Service
• Improved server performance
• Experimental:
  • New powerful Remote Desktop (RDP) connection in Windows for seamless support for Microsoft’s MSTSC client including G/On Server side single sign-on and the TS 2008 Connection Broker.

Licensing

New customers: Please read here for details on how to acquire a G/On license.

Existing G/On 5 customers: All existing G/On 5 customers on active maintenance are eligible for a free upgrade to G/On 5.4. The new feature, Field Enrollment, requires separate licensing.
Existing customers should contact their Giritech Partner for details.

Existing G/On 3.x customers: Existing G/On 3.x customers on active maintenance are offered software price protection when upgrading to G/On 5. Existing customers should contact their Giritech Partner for details.
Please notice: G/On 3.x customers using the first generation G/On USB H1 64MB keys will not be able to use these keys with G/On 5.

G/On 5.4 in Detail

Support for Hagiwara H2 and H3 USB devices

Giritech was first to market in 2004 with its innovative G/On USB client that in one mobile device provides two-factor authentication and secure software storage for connectivity. This physical device is developed by Hagiwara who has released new and larger capacity USB devices in 2007 and 2008. Today, most G/On 3.x customers are using Hagiwara H2 (128MB memory) and Hagiwara H3 (1GB memory).

The evolution of authentication devices has since accelerated as CPU and memory circuits have reached new levels of integration with more functionality on still smaller chips. With the introduction of G/On 5.3, Giritech also introduced new smart card based authentication tokens (G/On MicroSmart) but until now, G/On 5 customers have not been able to use the original Hagiwara USB devices.

With the release of version 5.4, G/On 5 now supports Hagiwara H2 (128MB) and Hagiwara H3 (1GB) USB keys as authentication tokens. Be aware that G/On 5 does not support the original Hagiwara H1 USBs. Their limited storage capacity of 64MB and the older technology prevents secure support for these in G/On 5.

Please notice: H2 and H3 tokens only work with Windows.

G/On 5 takes advantage of the following features of the Hagiwara USB’s:

• CD-ROM drive for read-only protection of the G/On client software and for auto-launch of G/On in accordance with the capabilities of the operating system
• Read-Write disk drive for storage of other software and data
• Hidden memory for storage of the private key used for authentication
• Unique hardware ID to lock the private key with the physical USB

Customers will have a number of options for migration of their Hagiwara USB keys from G/On 3.x to G/On 5 depending on their situation and preferences. You find info here on how to migrate G/On H2 & H3 tokens to G/On 5.

See also this table for a complete overview on available authentication tokens.

Computer User Token (Windows)

G/On 5.4 introduces a new type of authentication token, Computer User Token, that can be used to turn a user’s computer into a G/On authentication factor. The Computer User Token stores its private key in a registry entry for the specific user account on the computer and uses the MAC address for the enabled network adapters to link the private key to the computer.

Please notice: Computer User Tokens in G/On 5.4 only work on Windows. (The Computer User Token is released in lieu of the G/On Device Token mentioned in the announcement of G/On 5.3.)

The Computer User Token is used in combination with the installation of the G/On Client software directly on the computer. This is a convenient G/On solution for users with personal laptops or computers they use on a permanent basis for G/On access to company applications. Since the computer serves as hardware authentication token, these users will not need a G/On USB token or other tokens for authentication, effectively making two-factor authentication transparent to the user.

See also table on page 6 for a complete overview on available authentication tokens.

Field Enrollment (Windows)

G/On’s integrated two-factor authentication functionality combines an authentication token (“something you have”) with a user name and password (“something you know”). The authentication token must be known (“enrolled”) to the G/On server before users are able to login. G/On 5.4 introduces a new optional enrollment process that makes it possible for G/On users to do the enrollment of tokens “in the field” in addition to the centralized process already available in G/On today. The Field Enrollment feature is especially valuable when enrolling Computer User Tokens but can also be used to enroll G/On’s USB tokens and SoftTokens on regular non-G/On USB keys. Users can install the G/On Client software on their token or on their computer and the Field Enrollment feature enables users to initiate the enrollment process. The G/On Administrator has the option to approve or refuse the attempted enrollment or the Administrator can elect to automatically approve enrollments.

Please notice: Field Enrollment in G/On 5.4 only works on Windows.

Field Enrollment is an optional G/On Server Feature that must be licensed for use. Customers should contact their Giritech Partner for details.

Local G/On users on the G/On server

G/On 5.4 has the capability of authenticating user name and password against the local user directory of the Windows Server. Very small organizations without a Microsoft Active Directory (AD) infrastructure can now reap the full benefits of G/On and achieve secure access to the PC’s in their office. G/On is probably the simplest, the most secure and the most affordable remote access solution available.

Authentication against the local user directory of the Windows Server can be used in combination with authentication against Microsoft AD and/or any LDAP compliant user directory. This is a convenient solution for giving access to external contractors to very specific resources without the need for creating a user in the AD/LDAP. For instance, contractors servicing the G/On Server itself or other servers in the network.

G/On Management

G/On’s single point of management provides the tools to define G/On’s authentication policies for accepting users, authorization policies for assigning applications to users, and token management. G/On 5.4 introduces new features especially related to the management Tokens and basic workflow functionality related to the Field Enrollment process.

FIPS 140-2 Validated Encryption

G/On 5.4 is using the FIPS 140-2 validated Crypto++ v 5.3.0 and it will now be possible to validate G/On 5's use of the FIPS validated encryption for Windows.

Client side support for Fedora 12

In addition to supporting Fedora 11, the G/On 5.4 client also supports Fedora 12. It is very likely that the G/On 5.4 client will run on other Linux variants, however, Giritech is currently only testing Fedora and only in 32 bit versions.

Support for Citrix XML Service

Many G/On customers are enabling access to applications on Citrix XenApp server/farms and Giritech introduced a new level of Citrix integration with support for Citrix Web Interface in G/On 5.3. With the release of G/On 5.4, Giritech is taking the Citrix integration even deeper with support for the Citrix XML Service providing G/On Server side single sign on, seamless application integration, and support for Citrix server farms.. With a single G/On Menu Action, the Citrix XML Service Interface will automatically populate the G/On Menu with the published applications on the Citrix XenApp servers. Consequently, the G/On Menu of Citrix applications is managed directly from the Citrix XenApp server management and publication – or withdrawal - of Citrix applications requires no additional work in G/On.

Improved server performance

With the release of G/On 5.4, Giritech has improved the ability of the G/On Gateway Server to take advantage of multi processor and multi core server hardware.

Experimental

Giritech continues to improve G/On and to add new functionality that will help our customers gain more value and more benefits from G/On. Giritech will be releasing some of this functionality on an experimental basis to allow our customers to get early access to new functionality and to potentially provide feedback to Giritech. One such feature is:

G/On server side support for single sign-on for the Remote Desktop for Windows

As Microsoft is enhancing the capability of their RDP server (formerly Terminal Services) in Windows Server 2008 and the RDP client in Windows 7, Giritech will offer deeper and more seamless integration with the RDP protocol to offer G/On users the full benefits of these RDP enhancements in Windows.

G/On 5.4 includes a new, experimental Remote Desktop protocol (RDP) connection type and a set of templates for the creation of corresponding menu actions. The new G/On RDP connection type includes full RDP protocol awareness and supports:

• G/On Server side single sign on
• TS 2008 Remote apps
• TS 2008 Connection Broker

and replaces the need for TS 2008 Gateway.

We encourage our customers to enable the new G/On Menu Action templates and to provide us feedback on our G/On Forum.

Please notice: This new RDP connection type requires the G/On Server Feature, Launch Parameter File.

Other improvements

Please consult the G/On 5.4 release notes for these details.

G/On 3.x – Withdrawal from Marketing and End of Life

G/On 3.6 Withdrawal from Marketing

As part of today’s announcement, Giritech is also announcing that effective immediately, no new G/On 3.6 installations will ship from Giritech. Customers with pending G/On 3.6 proposals from Giritech Partners will - through April 10 - be offered G/On 5 instead.

G/On 3.6 End of Life

Also today, Giritech is announcing G/On 3.6 End of Life on December 31, 2010. This End of Life announcement means:

1. Customers on active maintenance agreement will continue to receive support in the application and use of G/On 3.6 (also after December 31, 2010).
2. Customers can continue to purchase new user licenses and features in G/On 3 (also after December 31, 2010).
3. Until December 31, 2010, Giritech will provide full technical support for G/On 3.6, however, Giritech reserves the right to ask customers to upgrade to G/On 5 in case of issues already or more easily addressed in G/On 5.
4. From January 1, 2011, no fixes will be issued to G/On 3.6 and customers must upgrade to G/On 5 to solve any new product issues in G/On 3.6.

Giritech offers customers on an active maintenance agreement protection of their G/On 3.x software investment when they upgrade to G/On 5. Existing customers should contact their Giritech Partner for details.