Chatta subito con l'assistenza
Chat con il supporto

KACE Desktop Authority 11.2.1 - ExpertAssist User Guide

User Guide
Copyright Overview User Interface Home Remote Control File Transfer Help Desk Chat Computer Management Computer Settings Server Functions Scheduling and Alerts Performance Monitoring Security Preferences Custom Pages WAP and PDA Interface About Us

IP Filtering

With ExpertAssist’s IP address filtering feature you can specify exactly which computers are allowed to access ExpertAssist on your system.

The simple interface on the Security > IP Filtering page lets you maintain IP address restrictions.

If the Profiles list is empty, then filtering is disabled.

How IP Filtering works

When an IP address is checked against a list, ExpertAssist goes from the first element of the list to the last, comparing the IP address against the item. If the item is a single IP address, it only matches the remote IP if they are equal. If the item is an IP address with a subnet mask, a logical AND operation is performed on the subnet mask and the remote IP address, and the result is checked against the item’s network address to see if the remote IP address is in fact on the network. If the item is a wildcard, the remote IP address is converted to its dotted textual representation and the two strings are compared.

When a match is found, ExpertAssist checks if it should allow or deny the connection, based on the allow/deny flag belonging to it. This result is then used to decide whether to let the connection proceed.

If no match is found, then the connection is allowed. If you would like all connections to be denied by default, except for those in the list, enter a DENY:* line as the last item on the list.

It is not possible for you to lock yourself out by accident when setting up IP address restrictions from afar, i.e. you can't enter a DENY:* clause into an empty list.

To add an IP Filtering:

  1. Select the existing IP Filter and click Edit.
    Or,
    Type in the new IP Filter name in the Name edit box and click Add.
  2. The Move Up, Delete, and Move Down buttons on the IP Filtering page for the selected filter let you manage already entered filters. Select one item in the list, and move it up or down with the appropriate buttons, or remove it altogether.

  3. The Address and Subnet fields let you specify a new filtering item. You can enter the following:

    • A single IP address
    • An IP address with a subnet mask, essentially granting or denying access for a whole network.
    • An IP address with wildcards and no subnet mask. Accepted wildcards are an asterisk (*) that matches any number of characters, or a question mark (?), that matches a single character only.

  4. The Allow and Deny options in the Type drop-down list let you specify whether you want to allow or deny access to the IP address or addresses entered.

Whenever a new connection is established to ExpertAssist, the remote IP address is checked against the filter or filters in the list, and access is granted or denied accordingly. The IP filters that you set up here apply to every connection received by ExpertAssist, except for those aimed at the Virtual FTP Server. To specify IP address restrictions specific to this module you will need to use its specific IP filtering options.

Examples

Example 1.

Allow connections from IP address 215.43.21.12 and the network 192.168.0.0/16, and deny all other connections:

ALLOW:215.43.21.12
ALLOW:192.168.0.0 (255.255.0.0) –OR- ALLOW:192.168.*
DENY:*

Example 2.

Allow connections from IP address 215.43.21.12 and the network 192.168.0.0/16, but not from the address 192.168.0.12, and deny everything else:

ALLOW:215.43.21.12
DENY:192.168.0.12
ALLOW:192.168.0.0 (255.255.0.0) –OR- ALLOW:192.168.*
DENY:*

Please note that denying the connection from 192.168.0.12 comes before allowing connections to the 192.168.0.0/16 network. This is because if ExpertAssist was to find the ALLOW item first, it would let IP address 192.168.0.12 through, since it matches the condition. To prevent this, we make sure that the address 192.168.0.12 is checked before the network to which it belongs.

Example 3.

Allow all connections, except those coming from 192.168.0.12:

DENY:192.168.0.12

Example 4.

Deny all connections from the network 192.168.0.0/16 except for the subnet 192.168.12.0/24, and allow all other connections:

ALLOW:192.168.12.0 (255.255.255.0) –OR- ALLOW:192.168.12.*
DENY:192.168.0.0 (255.255.0.0) –OR- DENY:192.168.*

Yet again, ordering is crucial.

EA Logs

Here is where you view the ExpertAssist log files.

The active log file is at the top of the list and is named DesktopAuthority.log. Older logs are stored with the naming convention DAYYYYMMDD.log. For example, the ExpertAssist log file for June 1st 2018 would be called DA20180601.log.

You can enable or disable logging to text files as you will, but ExpertAssist will always log the following events to the Windows Application Log:

  1. Service Start/Stop
  2. Login/Logout
  3. Remote Control Start/Stop
  4. Telnet Login/Logout

The Application Log is used because of security considerations.

In addition, service start and stop events are always written to the DesktopAuthority.log file, no matter whether logging is enabled or disabled. You can modify the settings for these logs under the Log Settings page of the Preferences section.

The last entry in the log file list is Download all logs in one compressed file. Click this to create and download a single zipped package with all the log files above.

User Management Log

Use the User Management Log section to view the logs of the activities performed during each remote management session on the EA host you are currently managing via EA. These activities are, for example, a registry key creation, stopping/running services, remote control session data, etc. (To view the overall EA activities logs, use the EA Logs page.)

The user management logs feature the following:

  • Store the records of the activities performed during remote management sessions during the period specified in the corresponding settings – 30 days by default.
  • Are presented in a special secure ExpertAssist’s own file format — SLOG files;
  • Are saved on an EA host (by default, to an EA installation directory: %ProgramFiles%\DesktopAuthority\useractions,
    or %ProgramFiles(x86)%\DesktopAuthority\useractions).
  • Are stored encrypted on an EA host, so use the User Management Log page to read the logs’ content.
  • Are secured and protected from changes outside of EA. The standard RSA 8000 based digital signature schema is used for the security purposes. The modified or anyhow corrupted logs are marked as invalid.

To view logs:

  1. In the navigation pane of the EA Management Window, go Security -> User Management Log. The list of available SLOG log files will be shown on the page to the right in a table. Some of the columns are detailed below.

    Table 7: User Management logs data.

Table Heading

Explanation

ID

The active log (DesktopAuthority.slog) is on top of the list. The active log logs activities performed during the period when the EA services were started and stopped.

The log for the oldest session is at the bottom of the list.

Name

  • The DesktopAuthority.slog file is the active log.
  • Older logs are named according to the following convention DAYYYYMMDD_HHMMSS.slog.
    For example, the user management log file for June 1st, 2018, will be entitled DA20180601_132125.slog.

Validity

Icon that indicates an SLOG file is invalid, i.e. modified (by other means than the EA application) or anyhow corrupted.

  1. Click on an SLOG log file you need. The selected log’s details will be shown in the table below the logs list.
    The most recent records are always on top of the list.

To filter logs:

You can filter logs by the following data:

  • the user logged in to run the EA management session;
  • the date they were created or modified;
  • the validity of the logs.

To filter the list of logs:

  1. Use the desired field to set values to filter the logs’ list.

    For the User field, use the following format:
    DomainName\UserName

    For the Date from and Date to fields, either use the calendar that will show when you click on the field, or enter the date manually in the following format;
    YYYY-MM-DD.
  2. Click Apply. The list of logs will change accordingly.

SSL Setup

If you set up SSL support for ExpertAssist, all traffic between the host and the remote computer will be encrypted using industry-strength 128-bit ciphers, protecting your passwords and data. The SSL certificates generated here are used for accessing the HTML-based administration module via HTTPS, and are also used by all virtual FTP servers to secure connections if using a suitable client. Because the SSL protocol is considered insecure as it is vulnerable to the POODLE attack, ExpertAssist in fact uses high secure TLS protocol. Make sure to enable the TLS 1.1 or 1.2 protocol in the browser for the computer where you will be connecting to the remote compute from.

Setting up SSL support for ExpertAssist is done in four easy steps:

  1. First, you must set up your Certificate Authority (CA). Select the Create a self-signed certificate item in the list at the top for the page and click the Continue button. This step will allow you to start creating a CA certificate, valid for nine years, and self-sign it. All of that you can do on the next page.
  2. On the next page simply fill out the form at the bottom of the page specifying your country code, your organization and your name. Some default values are provided here from your computer’s registry. This will configure the CA selected from the list at the top of the page. If you are creating a new CA, select the Create new CA.

As the second step on this page, you need to create the server certificate. Simply fill out the form at the bottom and click the Continue button to proceed. ExpertAssist will generate a certificate request, and sign it with the Certificate Authority selected at the top of the page. The certificate created this way will be valid for ten years. Click Continue at the bottom.

  1. The third step is optional: you can now install the CA certificate in your browser. This will suppress the message you'd otherwise get about the unknown Certificate Authority every time you make a secure connection to ExpertAssist. Click on the button to download the generated certificate to your computer so that you can install it in your browser.

That’s it. You are now ready to make a secure connection to ExpertAssist. Simply use a URL in the form of https://my.machine.here:2000.

You can use the same CA certificate on several machines, but you can't use the same server certificate in more than one place.

To use one CA certificate on a network of NT machines:

  1. Perform step one on the first machine.
  2. Copy the files CACert.pem, CAKey.pem and CACert.der in the ExpertAssist directory to the other machines.
  3. Continue SSL setup from step two on all other boxes. You only have to perform step three once in this case.
Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione