Encrypting Communication

Patriot 6 supports encrypting the communication data to prevent unauthorised access. Patriot has a primary and a secondary means of communication between the data service and the clients.

Generally the primary path is left unencrypted as it is used by the workstations and the task service(s). There is an overhead to using encryption, so it is recommended that the primary path is left unencrypted. If you need to support Patriot workstations, or Patriot task services outside the local area network, you can either enable encryption for all clients on the primary path, or (recomended) setup a VPN for these remote clients. You can also run remote Patriot workstations by using terminal services which includes its own encryption.

The data service also supports a secondary path which is encrypted and can be used by ICA. ICA requires direct access to the data service for some of the advanced ICA features, and as it's common that the web server hosting ICA will be located outside the LAN, it is recommended that ICA uses this secondary encrypted path in all cases where ICA link to data service is not secure. If The ICA web server is located on the same LAN as the Patriot server, ICA can be configured to use the primary unencrypted path. See ICA installation for details.

If your using the Json SDK, the encryption of this is covered here.

Enabling Encryption on the primary path

To enable encryption, simply tick the ‘Use Encryption’ box in the configuration program for the data service and any task services, and then restart the services. To enable encryption in the client, open the settings drop-down on the login page and tick the ‘Use Encryption’ box. Be sure to save the settings before logging in.

The encryption in Patriot uses Windows Authentication to control which users can access the service. If your machines are running on a domain, this should be all you need to do to enable encryption for your network. However if your network is using a workgroup setup, there are a few additional steps which must be taken. This can also be done if your remote workstations are not part of the domain.

On the server or domain, create a new user. This user should have a strong password and can be a restricted account.

When starting the Patriot client on the remote computer, enable encryption, and select ‘Alternate Credentials’. Enter the username and password of the user account you just set up. For the domain section, either enter the name of your domain, if you have one, otherwise enter the name of the server computer. These credentials are encrypted on the client so they cannot be viewed once saved.

Troubleshooting:

If you get errors when trying to log in after enabling encryption, make sure that you have enabled it on both the client and server. Ensure that you have restarted the data service for the changes to take effect.

If you get an error regarding your credentials being rejected, then check the user account you are logged in as. This must be a domain user account or you must have added the user to the server as detailed above.

A remote side security requirement was not fulfilled during authentication Error indicates that you must disable ‘Simple File Sharing’ on the server.

Enabling Encryption on the secondary path (ICA)

Data Service setup

The Data Service will automatically enable an encrypted secondary path if the Advanced ICA module is registered or secondary encryption enabled in data service settings.

To enable the secondary encryption, open the PatriotService.exe.config file located within the Patriot server installation folder. This file is normally found in,

\Program Files\Patriot Systems\Patriot Data Service

OR

\Program Files (x86)\Patriot Systems\Patriot Data Service (on 64 bit machines)

IMPORTANT: always make a backup copy of your Data Service config file before making changes.

Open the PatriotService.exe.config file using a text editor. Under application settings, PatriotService.Settings1, you will see all the existing application settings. The secondary encryption is set as follows,

.....

<setting name="EnableSecondaryEncryption" serializeAs="String">

<value>False</value>

</setting>

</PatriotService.Settings1>

Change the value to True to enable this mode, if this setting is missing from your configuration file, add it below the other settings.

The default port used by this service is 10001. To change this port number, open the PatriotService.exe.config file using a text editor, the secondary port is set as follows,

.....

<setting name="EncryptedServicePortNo" serializeAs="String">

<value>10001</value>

</setting>

</PatriotService.Settings1>

Add this setting in if it doesn’t exist and set the value as required: Now restart the Patriot Data service and Patriot's secondary encrypted services will attempt to start on your chosen port.

If ICA is located on a remote server outside the LAN, this port will need to be opened in the firewall and NAT configured to point to the Patriot server.

The encryption uses Windows Authentication to control which users can access the service. You will need to setup a windows user for authenticating against. See the section above on setting up the primary path for details.