3.6 Managing Endpoints

Endpoints are devices where the Advanced Authentication server authenticates. An endpoint can be a Windows workstation for Windows Client endpoint, or Advanced Authentication Access Manager appliance for the NAM endpoint and so on.

The endpoints are automatically added when you install a plug-in such as NAM or install Windows Client. The RADIUS endpoint, an OSP endpoint that is used for WebAuth authentication, and Endpoint41 and Endpoint42 are the predefined endpoints.

NOTE:Endpoint41 and Endpoint42 are created for the integration with legacy NAM and NCA plug-ins, which are used in NAM 4.2 and earlier versions with Advanced Authentication 5.1.

The NAM and NCA plug-ins work with the hard coded endpoint ID and secret. In Advanced Authentication 5.2 and later, you must register the endpoints. This breaks the backward compatibility with old plug-ins. These two legacy endpoints allow to keep the old plug-ins working.

To configure an endpoint for Advanced Authentication, perform the following steps:

  1. In the Endpoints section, click Edit against the endpoint you want to edit.

  2. You can rename the endpoint, change its description or endpoint type.

  3. Set Is enabled to ON to enable the endpoint.

  4. Set Is trusted to ON if the endpoint is trusted. In some integrations such as Migration Tool, Password Filter, NAM, and NCA you must enable the Is trusted option for their endpoints.

  5. Specify an Endpoint Owner if you have configured a specific chain to be used by the Endpoint owner only. This is a user account that must be able to use a different chain than the other users for authentication.

    The Endpoint Owner feature is supported for Windows Client, Mac OS Client, and Linux PAM Client only.

    NOTE:Additional information such as Operating System, Software version, Last session time and Device information are displayed. Also in Advanced properties, RAM information is displayed.

    Advanced Authentication Windows Client 5.6 or newer, Advanced Authentication Linux PAM Client 6.0 or newer, Advanced Authentication Mac OS X Client 6.0 or newer must be installed on the endpoint.

  6. Click Save.

You can create an endpoint manually. This endpoint can be used for the third-party applications that do not create endpoints.

To create an endpoint manually, perform the following steps:

  1. In the Endpoints section, click Add.

  2. On the Add endpoint page, specify a Name of the endpoint and its Description.

  3. Set the Type to Other.

  4. Set Is enabled to ON.

  5. Set Is trusted to ON if the endpoint is trusted.

  6. Leave Endpoint Owner blank.

  7. Click Save. The New Endpoint secret window is displayed.

  8. Take down the values specified in Endpoint ID and Endpoint Secret and place them in a secure place in your application.

    NOTE:You will not be able to get the Endpoint ID and Endpoint Secret later on the appliance.

  9. Click OK.

NOTE:Tenancy settings are not supported for Endpoints.

IMPORTANT:You must ensure not to remove an endpoint that has at least one component running on it such as Windows Client, Logon Filter, RD Gateway plug-in, or ADFS plug-in. Endpoint is removed automatically when you uninstall Windows Client. However you must remove the endpoint manually when you uninstall Logon Filter, RD Gateway plug-in or ADFS plug-in.

If you remove an endpoint accidentally, ensure to remove the records with prefix endpoint* from the %ProgramData%\NetIQ\Windows Client\config.properties file and re-start the machine. This recreates the endpoint.