To enable SSL, you need to have the correct SSL private key file and a signed SSL certificate. If your private key has a password, the appliance cannot restart automatically. If you have this issue, contact Quest Support at https://support.quest.com/contact-support.
NOTE: In some cases, the Firefox® browser does not display the Administrator Console login page correctly after you enable access to port 443 and restart the appliance. If that happens, clear the Firefox browser cache and cookies, then try again. |
1. |
◦ |
If the Organization component is not enabled on the appliance, log in to the KACE SMA Administrator Console, http://KACE_SMA_hostname/admin, then click Settings. |
◦ |
If the Organization component is enabled on the appliance, log in to the KACE SMA System Administration Console, http://KACE_SMA_hostname/system, or select System in the drop-down list in the top-right corner of the page, then click Settings. |
2. |
4. |
In the Two-Factor Authentication section, configure the Two-Factor Authentication (2FA) feature. 2FA provides stronger security for users logging into the appliance by adding an extra step to the login process. It relies on the Google Authenticator app to generate verification codes. The app generates a new six-digit code at regular intervals. When enabled, end users will be prompted for the current verification code each time they log in. |
a. |
Specify the following options. They appear listed in the order of precedence, as you enable them from top to bottom. For example you can only enable 2FA for the User Console if you have previously configured 2FA for the Administrator Console. |
▪ |
Enable Two-Factor Authentication for the System Portal: Select this check box if you want to use 2FA for the System Administration Console. To enable 2FA for all users, select Required for all Users. |
▪ |
Enable Two-Factor Authentication for the Admin Portal: This option only appears if you enabled 2FA for the System Administration Console, or if your appliance has only one organization. Select this check box if you want to use 2FA for the Administrator Console. Next, specify the users that will require 2FA during login by selecting one of the following options: |
▪ |
Required for all Users: Appliances with one organization only. To enable 2FA for all users, select this option. |
▪ |
Defined by Organization: Appliances with multiple organizations only. Apply the same 2FA configuration to all users in each Organization in the Administrator Console, as applicable. |
▪ |
Required for all Users: Appliances with multiple organizations only. Enable 2FA for all users in the Administrator Console. |
▪ |
Not required: Appliances with multiple organizations only. Disable 2FA for all users in the Administrator Console. |
▪ |
Enable Two-Factor Authentication for the User Portal: This option only appears if you enabled 2FA for the Administrator Console. Select this check box if you want to use 2FA for the User Console. Next, specify the users that will require 2FA during login by selecting one of the following options: |
▪ |
Defined by Organization: Apply the same 2FA configuration to all users in each Organization in the User Console, as applicable. |
▪ |
Required for all Users: Enable 2FA for all users in the User Console. |
▪ |
Not required: Disable 2FA for all users in the User Console. |
b. |
Under Transition Window, specify the amount of time during which users who require 2FA will be able to bypass the 2FA configuration step. |
5. |
Optional: In the Appliance Encryption Key section, click Generate Key to generate a new encryption key. This key is used to enable Quest Support to access your appliance for troubleshooting using a tether. It is not necessary to generate a new key unless you believe that the current key has been compromised. See Enable a tether to Quest Support. |
6. |
Prevent the KACE SMA from using single sign on. Single sign on enables users who are logged on to the domain to access the KACE SMA Administrator Console and User Console without having to re-enter their credentials on the KACE SMA login page. | |
Use Active Directory for authentication. Active Directory uses the domain to authenticate users on the network. See Using Active Directory for single sign on. |
7. |
For appliances with the Organization component enabled: Enable Organization File Shares |
| ||
Enable NTLMv2 authentication for the KACE SMA files shares. When this is enabled, managed devices connecting to the KACE SMA File Shares require support for NTLMv2 and they authenticate to the KACE SMA using NTLMv2. Although NTLMv2 is more secure than NTLM and LANMAN, non-NTLMv2 configurations are more common and this option is usually turned off. Enabling this option disables lanman auth and ntlm auth on the Samba server. NTLMv2 Levels 1-4 are supported. If you need NTLM v2 Level 5, consider manually provisioning the KACE SMA Agent. See Manually deploying the KACE SMA Agent. | |||
Force certain KACE SMA functions that are supported through the Samba client, such as Agent Provisioning, to authenticate to off-board network file shares using NTLMv2. Even though NTLMv2 is more secure than NTLM and LANMAN, non-NTLMv2 configurations are more common and this option is usually disabled. Enabling this option enables the client ntlmv2 auth option for Samba client functions. |
Enable access to the appliance over port 80. If you disable port 80 access, contact Quest Support to adjust the Agent deployment scripts to handle SSL. | |
Enable managed devices to connect to the appliance using SSL (HTTPS). Enable this setting only after you have properly deployed the appliance on your LAN in non-SSL mode. To enable SSL, you need to load an SSL certificate as described in step 9. |
◦ |
Click SSL Certificate Form to generate certificate requests or load self-signed certificates. See Generate an SSL certificate. |
◦ |
If you have an SSL certificate and private key, click Browse or Choose File in the SSL Private Key File or SSL Certificate File fields to select them. These files must be in Privacy Enhance Mail (PEM) format, similar to those used by Apache-based web servers. |
◦ |
Select Enable Intermediate SSL Certificate to enable and upload intermediate SSL certificates, which are signed certificates provided by certificate issuers as proxies for root certificates. Intermediate SSL certificates must be in PEM format. |
◦ |
If your certificate is in PKCS-12 format, click Browse or Choose File in the PKCS-12 File field to select it, then enter the password for the file in the Password for PKCS-12 file field. |
10. |
In the Secure Attachments in Service Desk section, choose whether to add security for files that are attached to Service Desk tickets: |
◦ |
◦ |
Clear the check box to enable users to access files by clicking ticket links from outside the Administrator Console or User Console. |
11. |
NOTE: In some cases, the Firefox browser does not display the Administrator Console login page correctly after you enable access to port 443 and restart the appliance. If that happens, clear the Firefox browser cache and cookies, then try again. |
Active Directory single sign on enables users who are logged on to the domain to access the KACE SMA Administrator Console and User Console without having to re-enter their logon credentials each time.
Before you connect the KACE SMA to an Active Directory server, verify that:
• |
• |
1. |
◦ |
If the Organization component is not enabled on the appliance, log in to the KACE SMA Administrator Console, http://KACE_SMA_hostname/admin, then click Settings. |
◦ |
If the Organization component is enabled on the appliance, log in to the KACE SMA System Administration Console, http://KACE_SMA_hostname/system, or select System in the drop-down list in the top-right corner of the page, then click Settings. |
2. |
In the Single Sign On section of the Security Settings page, select Active Directory, then provide the following information: |
The host name of the domain of your Active Directory® server, such as example.com. | |
The user name of the administrator account on the Active Directory server. For example, username@example.com. | |
The password of the administrator account on the Active Directory server. | |
3. |
A message appears stating the results of the test. To view errors, if any, click Logs, then in the Log drop-down list, select Server Errors.
4. |
5. |
When users are logged in to devices that are joined to the Active Directory domain, they can access the KACE SMA User Console without having to re-enter their credentials. If users are on devices that are not joined to the Active Directory domain, the login window appears and they can log in using a local KACE SMA user account. See Add or edit System-level user accounts.
You can generate a self-signed SSL certificate, or generate a certificate signing request for third-party certificates, using the Administrator Console.
1. |
◦ |
If the Organization component is not enabled on the appliance, log in to the KACE SMA Administrator Console, http://KACE_SMA_hostname/admin, then click Settings. |
◦ |
If the Organization component is enabled on the appliance, log in to the KACE SMA System Administration Console, http://KACE_SMA_hostname/system, or select System in the drop-down list in the top-right corner of the page, then click Settings. |
2. |
3. |
4. |
NOTE: If a certificate signing request has previously been generated, it appears on the page. To generate a new request, you need to update the information in the Configure section, then click Save before you click Generate Self-Signed Certificate. |
5. |
The common name of the appliance you are creating the SSL certificate for. | |
6. |
1. |
Copy all of the text in the Certificate Signing Request section, including the lines "-----BEGIN CERTIFICATE REQUEST-----" and "-----END CERTIFICATE REQUEST-----" and everything in between, then send it to the certificate issuer or the person who provides your company with web server certificates. |
2. |
When you receive a certificate from the third party, return to the Security Settings page and upload the certificate. See Configure security settings for the appliance. |
1. |
Click Generate Self-Signed Certificate to generate and display the certificate below the Certificate Signing Request section. |
2. |
3. |
NOTE: Your private key appears in the Private Key field. It is deployed to the appliance when you deploy a valid certificate. Do not send the private key to anyone. It is displayed here in case you want to deploy this certificate to another web server.
|
© 2021 Quest Software Inc. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy