1. |
◦ |
If the Organization component is not enabled on the appliance, log in to the appliance Administrator Console, https://appliance_hostname/admin, then select Settings > Control Panel. |
◦ |
If the Organization component is enabled on the appliance, log in to the appliance System Administration Console, https://appliance_hostname/system, or select System in the drop-down list in the top-right corner of the page, then select Settings > Control Panel. |
2. |
3. |
Enter the subnet mask of the specified network. For example: 24, 255.255.240.0. This is applied to the host. | |
5. |
6. |
7. |
You can configure local web server settings to specify an allow list of hosts that are allowed to access the Administrator Console, System Administration Console, and the User Console. After you create the allow list, access is restricted to the hosts on the allow list.
NOTE: After an IP address or domain name is added to the Allow List, only that IP address or domain has access. All others are blocked. |
1. |
◦ |
If the Organization component is not enabled on the appliance, log in to the appliance Administrator Console, https://appliance_hostname/admin, then select Settings > Control Panel. |
◦ |
If the Organization component is enabled on the appliance, log in to the appliance System Administration Console, https://appliance_hostname/system, or select System in the drop-down list in the top-right corner of the page, then select Settings > Control Panel. |
2. |
In the Access Control List section, click the Limit appliance access to acceptable networks option to display the Access Control List Details page. |
Select this option to restrict access to web addresses on the Allow List. To enable access to IP addresses on the appliance’s subnet in addition to the specified destinations, select Allow all IP addresses in the same subnet as the appliance. |
4. |
| |||||||||
6. |
7. |
8. |
NOTE: After an IP address or domain name is added to the Allow List, only that IP address or domain can access that page. All others are blocked. |
To enable SSL, you need to have the correct SSL private key file and a signed SSL certificate. If your private key has a password, the appliance cannot restart automatically. If you have this issue, contact Quest Support at https://support.quest.com/contact-support.
|
1. |
◦ |
If the Organization component is not enabled on the appliance, log in to the appliance Administrator Console, https://appliance_hostname/admin, then select Settings > Control Panel. |
◦ |
If the Organization component is enabled on the appliance, log in to the appliance System Administration Console, https://appliance_hostname/system, or select System in the drop-down list in the top-right corner of the page, then select Settings > Control Panel. |
2. |
In the Security Settings section, click Configure network security and accessibility to display the Security Settings page. |
Enable unidirectional (read-only) SNMP access to managed devices on the network through port 199 using SMUX, an SNMP multiplexing protocol. See Verify port settings. | |||||||||||||||||||||||||
The SNMP community string that enables read-only SNMP access. The default value is public. | |||||||||||||||||||||||||
For information on how to enable device monitoring, see Enable monitoring for one or more devices.
| |||||||||||||||||||||||||
| |||||||||||||||||||||||||
Clear this option to enable access to backup files through a URL without username or password authentication. This is useful for external process that require access. See About appliance backups. | |||||||||||||||||||||||||
Enable the appliance to respond to multicast Domain Name System (mDNS) and DNS Service Discovery (DNS-SD) requests. This option makes it easier for users and administrators to locate the Administrator Console and User Console. If you do not need the appliance to respond to these requests, clear this option. | |||||||||||||||||||||||||
Enable the appliance to view server usage and metrics over time. | |||||||||||||||||||||||||
Choose whether to add security for files that are attached to Service Desk tickets:
| |||||||||||||||||||||||||
| |||||||||||||||||||||||||
Enable SSL access to the database and access additional SSL options. | |||||||||||||||||||||||||
Enable the appliance to send limited server log data to a remote Syslog server. | |||||||||||||||||||||||||
Specify the fully qualified domain name (FQDN) or IP address and the port number of the remote Syslog server. IPv4 and IPv6 addresses are supported. If you do not provide a port number, the appliance uses 514 (UDP), the default port number for Syslog traffic. |
4. |
In the Two-Factor Authentication tab, configure the Two-Factor Authentication (2FA) feature. 2FA provides stronger security for users logging into the appliance by adding an extra step to the login process. It relies on the Google Authenticator app to generate verification codes. The app generates a new six-digit code at regular intervals. When enabled, end users will be prompted for the current verification code each time they log in. |
a. |
Specify the following options. They appear listed in the order of precedence, as you enable them from top to bottom. For example you can only enable 2FA for the User Console if you have previously configured 2FA for the Administrator Console. |
▪ |
Enable Two-Factor Authentication for the System Portal: Select this check box if you want to use 2FA for the System Administration Console. To enable 2FA for all users, select Required for all Users. |
▪ |
Enable Two-Factor Authentication for the Admin Portal: This option only appears if you enabled 2FA for the System Administration Console, or if your appliance has only one organization. Select this check box if you want to use 2FA for the Administrator Console. Next, specify the users that will require 2FA during login by selecting one of the following options: |
▪ |
Required for all Users: Appliances with one organization only. To enable 2FA for all users, select this option. |
▪ |
Defined by Organization: Appliances with multiple organizations only. Apply the same 2FA configuration to all users in each Organization in the Administrator Console, as applicable. |
▪ |
Required for all Users: Appliances with multiple organizations only. Enable 2FA for all users in the Administrator Console. |
▪ |
Not required: Appliances with multiple organizations only. Disable 2FA for all users in the Administrator Console. |
▪ |
Enable Two-Factor Authentication for the User Portal: This option only appears if you enabled 2FA for the Administrator Console. Select this check box if you want to use 2FA for the User Console. Next, specify the users that will require 2FA during login by selecting one of the following options: |
▪ |
Defined by Organization: Apply the same 2FA configuration to all users in each Organization in the User Console, as applicable. |
▪ |
Required for all Users: Enable 2FA for all users in the User Console. |
▪ |
Not required: Disable 2FA for all users in the User Console. |
b. |
Under Transition Window, specify the amount of time during which users who require 2FA will be able to bypass the 2FA configuration step. |
5. |
Use the settings in the Brute Force Prevention area to prevent multiple consecutive attacks from obtaining access to the appliance using false credentials. You can configure the number of failed authentication attempts within a specified time frame, after which the appliance prevents any logins for that user. |
6. |
Optional: In the Appliance Encryption Key section, click Generate Key to generate a new encryption key. This key is used to enable Quest Support to access your appliance for troubleshooting using a tether. It is not necessary to generate a new key unless you believe that the current key has been compromised. See Enable a tether to Quest KACE Support. |
7. |
Prevent the appliance from using single sign on. Single sign on enables users who are logged on to the domain to access the appliance Administrator Console and User Console without having to re-enter their credentials on the appliance login page. | |
Use Active Directory for authentication. Active Directory uses the domain to authenticate users on the network. See Using Active Directory for single sign on. |
8. |
Enable access to the appliance over port 80. If you disable port 80 access, contact Quest Support to adjust the Agent deployment scripts to handle SSL. | |
Enable managed devices to connect to the appliance using SSL (HTTPS). Enable this setting only after you have properly deployed the appliance on your LAN in non-SSL mode. To enable SSL, you need to load an SSL certificate as described in step 10. |
1. |
Select Upload PEM SSL Certificate. |
2. |
In the SSL Private Key File and SSL Certificate File fields, select the private key and certificate files. |
3. |
If you want to enable and upload intermediate SSL certificates (also in PEM format), select Enable Intermediate SSL Certificate. Intermediate SSL certificates are signed certificates provided by certificate issuers as proxies for root certificates. |
1. |
Select Upload PKCS-12 SSL Certificate. |
2. |
In the PKCS-12 File field, select the file. |
3. |
In the Password for PKCS-12 file field, type the password for the PKCS-12 file. |
1. |
Click Apply Let's Encrypt SSL Certificate. Let’s Encrypt is a free, automated, and open certificate authority (CA). When you get a certificate from Let’s Encrypt, their servers validate that you control the domain names in that certificate using a challenge. |
NOTE: The HTTP-01 challenge can only be done on port 80. Specify arbitrary ports makes the challenge less secure, and it is therefore not allowed by the Automatic Certificate Management Environment (ACME) standard. For that reason, the appliance must run on a public-facing box with port 80 open for inbound communication, and a publicly-resolvable DNS. For more details, visit https://letsencrypt.org/docs/challenge-types/. |
2. |
In the Email Address field, provide an email address. While Let's Encrypt certificates periodically expire, the appliance uses an automated process to update the certificate before its expiration. The address is used for communication with Let's Encrypt in an unlikely event the certificate expires. You must have a Let's Encrypt account registered using this email address. |
1. |
Click Generate CSR (Certificate Signing Request) or Self-Signed SSL Certificate. |
2. |
In the area that appears, click SSL Certificate Form. Follow the instructions in Generate an SSL certificate. |
11. |
In the CSP tab, select the Enable CSP checkbox to enable CSP (Content Security Policy). Enabling the checkbox adds list of KACE trusted domains automatically. |
◦ |
If you want to add domains or URLs in the list, then in the Additional Allowed Domains section, click +, and specify the Directive and the Domain/URL. For more details, Configuring Content Security Policy |
12. |
In the Secure Attachments in Service Desk section, choose whether to add security for files that are attached to Service Desk tickets: |
◦ |
◦ |
Clear the check box to enable users to access files by clicking ticket links from outside the Administrator Console or User Console. |
13. |
NOTE: In some cases, the Firefox browser does not display the Administrator Console login page correctly after you enable access to port 443 and restart the appliance. If that happens, clear the Firefox browser cache and cookies, then try again. |
Active Directory single sign on enables users who are logged on to the domain to access the appliance Administrator Console and User Console without having to re-enter their logon credentials each time.
Before you connect the appliance to an Active Directory server, verify that:
• |
• |
1. |
◦ |
If the Organization component is not enabled on the appliance, log in to the appliance Administrator Console, https://appliance_hostname/admin, then select Settings > Control Panel. |
◦ |
If the Organization component is enabled on the appliance, log in to the appliance System Administration Console, https://appliance_hostname/system, or select System in the drop-down list in the top-right corner of the page, then select Settings > Control Panel. |
2. |
In the Single Sign On tab of the Security Settings page, select Active Directory, then provide the following information: |
The host name of the domain of your Active Directory® server, such as example.com. | |
The user name of the administrator account on the Active Directory server. For example, username@example.com. | |
The password of the administrator account on the Active Directory server. | |
3. |
A message appears stating the results of the test. To view errors, if any, click Logs, then in the Log drop-down list, select Server Errors.
4. |
5. |
When users are logged in to devices that are joined to the Active Directory domain, they can access the appliance User Console without having to re-enter their credentials. If users are on devices that are not joined to the Active Directory domain, the login window appears and they can log in using a local appliance user account. See Add or edit System-level user accounts.
© ALL RIGHTS RESERVED. Términos de uso Privacidad Cookie Preference Center