Remote Access: Before You Begin

Before you begin your integration with Imprivata Confirm ID, familiarize yourself with the features of the product and how it affects your current remote access experience.

After you have completed the preparations outlined below, select one of the following topics to proceed:

New Cloud Experience — Remote Access with Citrix NetScaler Gateway

• The Imprivata Cloud experience is a more robust architecture where the user authenticates with Imprivata directly with less chance of timeout or failure. Imprivata's connection to Active Directory means your AD group attributes are sent directly to Imprivata with less configuration required;

• You do not have to replace the LDAP connection between your gateway and Active Directory: You can easily maintain your existing single-factor remote access login experience while you roll out Imprivata Confirm ID Remote Access.

• The Imprivata cloud provides access to cloud-based features delivered in future versions of Imprivata Confirm ID.

Not Ready for the Cloud-Based Experience? If you need support for older browsers, or you do not want to connect to the Imprivata Cloud at this time, see Legacy Remote Access Experience (Imprivata Cloud Token Service required)

How To Use Imprivata Confirm ID Remote Access

Before enabling Imprivata Confirm ID Remote Access, there are major decisions you need to make about how to use it.

• Who do I want to use Imprivata Confirm ID Remote Access? You control who uses Remote Access by organizing them into User Policies. If you want to roll out Remote Access to one department at a time, you will organize each department into a user policy.
• How do I want users to enroll? Your users need to enroll the Imprivata ID app, and/or their phone number for SMS code authentication. Your users can enroll remotely or on premises. For example, if a subset of your users rarely come into the office and must enroll from outside your network, place them into a user policy that allows enrolling remotely. You will configure these options for each user policy.
• Do I want users logging in with password only? Remote Access can be configured to allow users access into the VPN (RADIUS client) with password only until they enroll Imprivata ID or their phone number. This allows your users a grace period if they aren’t ready or interested in enrolling right away. If you want to enforce stricter security, you can turn this off so users must use two-factor authentication for access into the VPN.
• Do I want to prompt users to enroll? You can turn off an enrollment reminder that appears each time users log into a computer with the Imprivata agent on premises.
• What to do when a device is lost or stolen? When a user calls in to report their device was lost or stolen, you can offer to generate a temporary code to allow two-factor authentication when logging in remotely. Set up this feature in advance of your deployment. See Temporary Codes for Remote Access
• Vendors with shared accounts? If a temporary worker must use two-factor authentication but they should not install Imprivata ID, you can issue them a temporary code to use as their second factor. See Temporary Codes for Remote Access
• Does my solution organize remote access by Active Directory groups? (Remote Access via RADIUS only) Review your current remote access policies to determine whether you limit remote access by AD groups. You need to configure Imprivata Confirm ID to send extended attributes via its RADIUS server so your gateway can allow and deny access by AD groups.

Optional — Temporary Codes

When Imprivata ID authentication is required to log in, but the user doesn't have his device or OTP token, Imprivata has made it easy for your enterprise to issue a temporary code allowing your user to continue their work virtually uninterrupted. Temporary codes can also be used when you need to provide remote access to a temporary user such as a contractor.

For complete details, see Temporary Codes for Remote Access