1. |
◦ |
If the Organization component is not enabled on the appliance, log in to the K1000 Administrator Console, http://K1000_hostname/admin, then click Settings. |
◦ |
If the Organization component is enabled on the appliance, log in to the K1000 System Administration Console, http://K1000_hostname/system, or select System in the drop-down list in the top-right corner of the page, then click Settings. |
2. |
3. |
Enter the subnet mask of the specified network. For example: 24, 255.255.240.0. This is applied to the host. | |
5. |
6. |
7. |
You can configure local web server settings to specify a whitelist of hosts that are allowed to access the Administrator Console, System Administration Console, and the User Console. After you create the whitelist, access is restricted to the hosts on the whitelist.
NOTE: After an IP address or domain name is whitelisted (added to the Allow List), only that IP address or domain has access. All others are blocked. |
1. |
◦ |
If the Organization component is not enabled on the appliance, log in to the K1000 Administrator Console, http://K1000_hostname/admin, then click Settings. |
◦ |
If the Organization component is enabled on the appliance, log in to the K1000 System Administration Console, http://K1000_hostname/system, or select System in the drop-down list in the top-right corner of the page, then click Settings. |
2. |
Select this option to restrict access to web addresses on the Allow List. To whitelist IP addresses on the appliance’s subnet in addition to the specified destinations, select Allow all IP addresses in the same subnet as the appliance. |
4. |
| |||||||
6. |
7. |
8. |
NOTE: After an IP address or domain name is added to the Allow List, only that IP address or domain can access that page. All others are blocked. |
To enable SSL, you need to have the correct SSL private key file and a signed SSL certificate. If your private key has a password, the appliance cannot restart automatically. If you have this issue, contact Quest Support at https://support.quest.com/contact-support.
NOTE: In some cases, the Firefox® browser does not display the Administrator Console login page correctly after you enable access to port 443 and restart the appliance. If that happens, clear the Firefox browser cache and cookies, then try again. |
1. |
◦ |
If the Organization component is not enabled on the appliance, log in to the K1000 Administrator Console, http://K1000_hostname/admin, then click Settings. |
◦ |
If the Organization component is enabled on the appliance, log in to the K1000 System Administration Console, http://K1000_hostname/system, or select System in the drop-down list in the top-right corner of the page, then click Settings. |
2. |
4. |
Optional: In the Appliance Encryption Key section, click Generate Key to generate a new encryption key. This key is used to enable Quest Support to access your appliance for troubleshooting using a tether. It is not necessary to generate a new key unless you believe that the current key has been compromised. See Enable a tether to Quest Support. |
5. |
Prevent the K1000 from using single sign on. Single sign on enables users who are logged on to the domain to access the K1000 Administrator Console and User Console without having to re-enter their credentials on the K1000 login page. | |
Use Active Directory for authentication. Active Directory uses the domain to authenticate users on the network. See Using Active Directory for single sign on. | |
Use Quest Identity Broker (QIB) for authentication. QIB is a cloud-based single sign on (SSO) solution that allows users to securely authenticate using various identity providers. See Using Quest Identity Broker for single sign on. |
6. |
For appliances with the Organization component enabled: Enable Organization File Shares |
| ||
Enable NTLMv2 authentication for the K1000 files shares. When this is enabled, managed devices connecting to the K1000 File Shares require support for NTLMv2 and they authenticate to the K1000 using NTLMv2. Although NTLMv2 is more secure than NTLM and LANMAN, non-NTLMv2 configurations are more common and this option is usually turned off. Enabling this option disables lanman auth and ntlm auth on the Samba server. NTLMv2 Levels 1-4 are supported. If you need NTLM v2 Level 5, consider manually provisioning the K1000 Agent. See Manually deploying the K1000 Agent. | |||
Force certain K1000 functions that are supported through the Samba client, such as Agent Provisioning, to authenticate to off-board network file shares using NTLMv2. Even though NTLMv2 is more secure than NTLM and LANMAN, non-NTLMv2 configurations are more common and this option is usually disabled. Enabling this option enables the client ntlmv2 auth option for Samba client functions. |
Enable access to the appliance over port 80. If you disable port 80 access, contact Quest Support to adjust the Agent deployment scripts to handle SSL. | |
Enable managed devices to connect to the appliance using SSL (HTTPS). Enable this setting only after you have properly deployed the appliance on your LAN in non-SSL mode. To enable SSL, you need to load an SSL certificate as described in 8. | |
(Displayed only if Enable SSL is selected). Enable managed devices to connect to the appliance using SSLv3, which is an older version of SSL. Because of vulnerabilities associated with SSLv3, this setting should be enabled only if you have Agent-managed devices that are running version 6.3 or earlier of the K1000 Agent. SSLv3 is disabled by default on new K1000 appliances. For more information about SSLv3 vulnerabilities, see https://support.quest.com/kb/136510. |
◦ |
Click SSL Certificate Form to generate certificate requests or load self-signed certificates. See Generate an SSL certificate. |
◦ |
If you have an SSL certificate and private key, click Browse or Choose File in the SSL Private Key File or SSL Certificate File fields to select them. These files must be in Privacy Enhance Mail (PEM) format, similar to those used by Apache-based web servers. |
◦ |
Select Enable Intermediate SSL Certificate to enable and upload intermediate SSL certificates, which are signed certificates provided by certificate issuers as proxies for root certificates. Intermediate SSL certificates must be in PEM format. |
◦ |
If your certificate is in PKCS-12 format, click Browse or Choose File in the PKCS-12 File field to select it, then enter the password for the file in the Password for PKCS-12 file field. |
9. |
In the Secure Attachments in Service Desk section, choose whether to add security for files that are attached to Service Desk tickets: |
◦ |
◦ |
Clear the check box to enable users to access files by clicking ticket links from outside the Administrator Console or User Console. |
10. |
NOTE: In some cases, the Firefox browser does not display the Administrator Console login page correctly after you enable access to port 443 and restart the appliance. If that happens, clear the Firefox browser cache and cookies, then try again. |
Active Directory single sign on enables users who are logged on to the domain to access the K1000 Administrator Console and User Console without having to re-enter their logon credentials each time.
Before you connect the K1000 to an Active Directory server, verify that:
• |
• |
1. |
◦ |
If the Organization component is not enabled on the appliance, log in to the K1000 Administrator Console, http://K1000_hostname/admin, then click Settings. |
◦ |
If the Organization component is enabled on the appliance, log in to the K1000 System Administration Console, http://K1000_hostname/system, or select System in the drop-down list in the top-right corner of the page, then click Settings. |
2. |
In the Single Sign On section of the Security Settings page, select Active Directory, then provide the following information: |
The hostname of the domain of your Active Directory® server, such as example.com. | |
The username of the administrator account on the Active Directory server. For example, username@example.com. | |
The password of the administrator account on the Active Directory server. |
3. |
A message appears stating the results of the test. To view errors, if any, click Logs, then in the Log drop-down list, select Server Errors.
4. |
5. |
When users are logged in to devices that are joined to the Active Directory domain, they can access the K1000 User Console without having to re-enter their credentials. If users are on devices that are not joined to the Active Directory domain, the login window appears and they can log in using a local K1000 user account. See Add or edit System-level user accounts.
© 2021 Quest Software Inc. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy