How can we help?
Search for answers or browse our knowledge base
Network flow, Security
Network flow matrices
Cases with GTWeb without email response
The GTWeb module is used to route the response from the correspondent’s workstation to GTServer or for data synchronisation (retrieving the latest version of the data from GTAnswer) or for http verification or http broadcast.
No response is transmitted by e-mail.
| Destination | |||||||
| Default Ports | 80 | None | 3000 | According to DBMS | According to SGBD | 25 or 465 (SMTP) | |
|
GTWeb | Mail server(s) for GTAnswer | GTServer | Customer Database | GT Database | Mail server for GTServer | |
| GTWeb | TCP/IP (+SSL/TLS) proprietary protocol for the application layer (OSI) | ||||||
| GTAnswer in http
(or client Automation |
http ou https Proxy possible (auth basic digest) |
||||||
| GTAnswer in TCP/IP
(or Automatisatio client |
TCP/IP (+SSL/TLS) proprietary protocol for the application layer (OSI) | ||||||
| GTServer | via the .NET database client on the GTServer workstation (OLE DB or direct .NET client) | via the .NET database client on the GTServer workstation (OLE DB or direct .NET client) | SMTP (+SSL/TLS) |
Cases without GTWeb with e-mail response (backup connection)
The GTWeb module is not used, neither for mail response, nor for synchronization, nor for http verification, nor for http broadcast (qstx access url broadcast).
If the GTWeb module is used for synchronization or for the transfer of the response by certain correspondents (in the case of non-homogeneous environments), this matrix can be superimposed with the previous matrix.
| Destination | |||||||
| Default Ports | 80 | 25 or 465 (SMTP)
or no other (mail client) |
3000 | According SGBD | According to DBMS | 25 or 465 (SMTP)
+ 110 or 995 (POP) or 143 or 995 (IMAP) or no other (mail client) |
|
|
GTWeb | Mail server(s) for GTAnswer | GTServer | Client Database | GT Database | Mail server for GTServer | |
| GTAnswer | SMTP (+SSL/TLS)
OR use of Outlook or Notes email client (if client used, no direct access by GTAnswer) |
||||||
| GTWeb | |||||||
| GTAnswer
(or client Automation) |
TCP/IP (+SSL/TLS) proprietary protocol for the application layer (OSI) | ||||||
| GTServer | via the DB client on the GTServer workstation (OLE DB or .NET client) | via the DB client on the GTServer workstation (OLE DB or .NET client) | SMTP (+SSL/TLS) in all cases
+ POP (+SSL/TLS) OR IMAP (+SSL/TLS) OR through the Outlook or Notes mail client (if client used, only SMTP access through GTServer) |
Securing flows
Inbound access to GT modules
| Via modules GT | Excluding GT modules | |||
| Flux (Src->Dest) | Flow encryption | Restricted access | Cryptage | Restricted Access |
| GTAnswer
-> GTWeb Via http |
– HTTPS pour l’url de GTWeb (configuration sur serveur Web) | – IP restriction allowed on web server hosting GTWeb
– Reverse proxy before GTWeb – Password restriction on GTWeb’s index.php script (.htaccess type, BASIC and DIGEST authentication, the source can be a text file, an LDAP directory, a database) |
||
| GTAnswer
-> GTServer Via TCP/IP |
-Server certificate per instance (via GTAdmin security tab) | – Strong passwords for GT users (via password constraints)
– Verification of client certificates (via GTServer and GTAnswer) |
Connection encryption tools (VPN, etc…) | IP restriction allowed on GTServer |
| GTWeb
-> GTServer |
– Server certificate per instance (via GTAdmin security tab) | – Strong passwords for GT users (via password constraints)
– Checking client certificates (via GTserver and GTWeb) |
Connection encryption tools (VPN, etc…) | IP restriction allowed on GTServer |
| Automation
-> GTServer |
Idem GTAnswer ->GTServer | – Strong passwords for GT users (via password constraints, for example)
– Verification of client certificates (via GTserver and application/script using automation) |
Connection encryption tools (VPN, etc…) | IP restriction allowed on GTServer |
| GTAnswer
-> GTWeb |
– HTTPS for the GTWeb url (web server configuration) | – IP restriction allowed on web server hosting GTWeb
– Reverse proxy before GTWeb – Password restriction on GTWeb’s index.php script (.htaccess type, BASIC and DIGEST authentication, the source can be a text file, an LDAP directory, a database) |
||
Notes
- The security modes outside the GT modules are given for information only.
- GTServer for its customers: The configuration is done via GTServer by installing the certificate, then specifying in the client the type of encryption and optionally the client certificate if GTServer checks client certificates.
Inbound access to non-GT modules
| Via modules GT | Excluding GT modules | |||
| Flux (Src->Dest) | Flow encryption | Restricted access | Encryption | Restricted access |
| GTServer
-> Databases |
– Server certificate and database client configuration | – IP restriction allowed on database server
– Strong password for database access account – |
||
| GTServer | – configuration of the connection to the mail server | SSL/TLS on the mail server | – IP restriction allowed on mail server and for dedicated mail account GTServer | |
| GTAnswer
-> Serveur de messagerie |
– configuration de la connexion au serveur de messagerie | SSL/TLS sur le serveur de messagerie | – IP restriction allowed on mail server if direct connection to the mail server by GTAnswer | |
Notes
- The security modes outside the GT modules are given for information only.
Authentication from the GTAnswer module
2 cases arise:
- If the user has an account, then he or she will authenticate using the method selected during the instance setup (LDAP, OIDC or GT authentication).
- If the user does not have an account, then he or she will receive GT documents (.qstx extension) to fill out. When opening the documents, 3 modes of authentication/identification can be used:
- Mail address validation (PC-specific process)
- Authentication in the Active Directory of the GTAnswer correspondent
- http authentication when accessing GTWeb by GTAnswer
These authentication/identification modes can be combined.
Descriptions
- Email address validation (specific process GT):
When the questionnaire asks for email address validation, GTAnswer will ask the correspondent to configure his email address and will send an email to this address with a checkmail extension attachment (this one contains encrypted information about the email address and the source user profile, the .checkmail extension is associated with GTAnswer during the installation), this attachment must be opened by the correspondent: this way, GTAnswer makes sure that the Windows user has access to the specified email address.
in the GTAnswer configuration.
Constraints can be built in the questionnaire to prohibit the transmission of the answer (or block some input cells) depending on the validated email address and the content of the questionnaire.
- Authentication in the correspondent’s Active Directory
When opening a questionnaire requesting authentication in the AD (option of the campaign launch action), GTAnswer will ask the user to enter the password of the active Windows session (or the password of the Windows account associated with the e-mail address of the initial correspondent of the questionnaire). An option is available to check that the e-mail address associated in the AD with the Windows account of the active session is the same as the e-mail address of the initial recipient of the questionnaire (when sent by GTServer).
Constraints can be built into the questionnaire to prohibit the transmission of the response (or block certain input cells) depending on the AD’s email address (read in the Active Directory for the active Windows session) and the content of the questionnaire.
- http authentication when accessing GTWeb via GTAnswer
Access to the website can be protected by http authentication (defined in the website configuration, excluding GT modules). Both BASIC and DIGEST modes are allowed for http authentication.
The authentication source can be a text file, a database, an LDAP directory or any other source compatible with your web server.
During any GTAnswer access to GTWeb (especially for http verification, synchronization or response transmission), http authentication will be implemented. The authentication information (login and password) will be requested from the user in a dialog box (in the same way as if the url was accessed via a browser). During the same GTAnswer session, this authentication will not be requested again.
This authentication mode allows to limit the access to the opening (via the http check option), to the synchronization or to the transfer of the answer.
This mode does not allow to limit the transmission of the answer (or the opening or synchronization) or the access to certain input cells according to the content of the questionnaire and the login for this authentication.
Summary table
| Mode | Activation | Blocking | Remarks |
| Email address validation (Calame specific) | Questionnaire option | May block the transmission of the response (or certain input cells) depending on the content of the questionnaire | More identification than authentication
Does not preclude the initiation of the questionnaire. |
| Authentication in the correspondent’s Active Directory | Campaign launch action option | Blocks the opening of the questionnaire
May block the transmission of the response (or certain input cells) depending on the content of the questionnaire. Requires the existence of a DA. . |
Requires the existence of a DA.
Requires that the DA’s email addresses are correct for a block based on the content of the questionnaires of an instance. In the 2 sub-modes where the opening of the questionnaire is limited to the accounts associated with the email address of the initial recipient, the transmission of the questionnaire to a third party is only possible for people who can connect to the accounts mentioned above. |
| http authentication for access to GTWeb | Configuring GTWeb website and script access
+ options http Check, http Synchronization, or http Response of Campaign Launch Action |
Can block the opening of the questionnaire (using the http check option) and/or the synchronization and/or transmission of the http response | Requires, outside the GT suite, to configure the website to access a directory of globally authorized persons for the GT instance.
Does not allow to limit access according to the content of the questionnaire. |
There is no mode to prevent the opening of the questionnaire based on the authentication information and dynamic content of the questionnaire. Only the authentication information and the initial email address of the correspondent (used by the GTServer) can restrict the opening in the case of authentication via the DA, and in this case, the transmission of the questionnaire to a third party will not be possible.
GTWeb security reminders
It is strongly advised to configure the web server hosting GTWeb to impose a secure https connection. Especially if the GTWeb server is used to communicate with correspondents outside the company’s “protected” intranet.
The GTServer instance will have to be configured (via the “Messaging” tab of GTAdmin) with this new url using the https protocol.
If you want to secure the transfer of the response by GTAnswer, use the http(s) response, rather than the mail response, (to be configured in the launch action) with a GTWeb url using the https protocol (in the Mail tab of the GTServer instance via GTAdmin).
Installing an additional Web server as a reverse proxy for the Web server hosting GTWeb may be a good practice to filter connections before they reach the GTWeb server if the correspondents are outside the company intranet.
When the GTWeb url is accessible to a large number of people, it is imperative that the passwords of the GT users are strong passwords to prevent unwanted access to GTServer data.
Restricted access to the questionnaire
The action designer can request that access to questionnaires be restricted by authentication in Active Directory (with or without verification of the email address specified in the AD in concordance with the email address of the questionnaire recipient).
When the GTAnswer module opens the questionnaire on the correspondent’s workstation, the latter will have to specify login and password to authenticate himself in the DA, with verification or not of his e-mail address registered in the DA, according to the options chosen in the action to launch the questionnaires.