Server role: Authentication
You can use the Server to centrally manage who can authenticate on remote Hosts. In Host settings the related authentication method is called Custom Server Security.
Custom server security benefits include:
- Centralized permissions management. Remote access permissions are managed on the Server. You can quickly disable any tech's access to remote Hosts without having to change permission settings on the Hosts (end-points).
- Single sign-on. A tech can sign in on the Server in their Viewer once and then log in on remote Hosts in one click without entering access credentials for each specific Host.
Follow the steps below to set up custom server security.
Step 1: Create users and groups
First, on the Server you need to create users and groups whom to grant access to your Hosts.
- Install the Server and make sure it is accessible to Viewers and Hosts.
- Open the Admin Console and click File ➝ Address book manager.
- In the left pane right click on Users and select Create new user...
- Enter a desired username in the User logon name field and click Change password....
Starting from Server version 2.7 you can enable the check box Force custom server security for a given user. If this check box is enabled, the user will only be able to connect to the Hosts using the Custom Server Security authentication method provided that this user has signed in on the Server first (a user who has not signed in on the Server is beyond "the Server's control" and cannot be forced to use a specific authentication method).
- Set a new password, click OK and close the user dialog:
- Apply the changes by clicking a green checkmark icon on the toolbar:
Important!Whenever you make changes in the Server's Address Book Manager, click the green check mark to apply them. Otherwise, the changes won't be saved.
- A new user has been created:
- (Optional) Create a group by right-clicking the Groups item and selecting Create new group.. from the menu. You can add users to your groups on the Members tab:
On the Host side you must enable Custom Server Security authentication method and select users and/or groups whom you want to grant access to this Host.
Step 2: Enable custom server security and set permissions
- Right-click on the Host icon in the system tray and select Settings for Host:
- Navigate to Authentication and enable Custom server security:
- Click Servers:
- Click Add:
- Enter your server name and address and click OK:
Make sure you use correct communication port. The default port is TCP 5655 but you may change it as well as add multiple ports in the server configuration dialog.
- Make sure the server is listed and click OK to close the Servers dialog:
- Click Users and access control:
- You must sign in on the server before you can set permissions. Enter your server account credentials and click OK:
- After a successful login the Permissions dialog will show up. Click Add:
- Select the user or group whom you want to grant access to this Host and click Select:
- Select the necessary permissions for the user and click OK:
In the example above you signed in as the user JohnDoe to set permissions for the same to access this Host. However, you can sign in as any user to set permissions also for any user. In subsequent updates special administrator accounts and groups will be added to program functionality.
- Click OK and close Host configuration window.
In order to access the remote Hosts you are permitted to access, you need to sign in on the Server in your Viewer app.
Step 3: Add the Server in the Viewer settings
- In the Viewer click Manage ➝ Server manager....
- Click Add:
- Enter a descriptive name, server address and port and click OK. The port here is the communication port used by the server. You can change it in the server configuration window.
In this example the server resides in the same LAN as the Viewer hence the private IP address (192.168..). If you install the server outside the Viewer network make sure that you address the server properly (using a FQDN/DNS, for example) and make sure that the server can be accessed by your Viewer and Hosts.
- The server has been added to your servers list. Now you'll be able to select it from the dropdown menu when signing in (see below). Click OK:
Step 4: Sign in on the Server
- Click Sign in at the top right corner of the Viewer window:
- In the sign-in window enter your login and password which were set during server configuration. Make sure your server is selected in the dropdown list and click OK:
- It may take the Viewer a few seconds to sign in:
- You will know that you have signed in by looking at the top right corner of the Viewer window. It should display your username:
Step 5: Connecting to the Host
- In the Viewer click Add connection:
- Enter a descriptive name and the address of the remote PC. This can be its IP address, Internet-ID or DNS name:
The authentication server role is not tied to a specific connection type — you can use both direct connection and Internet-ID connection.
Likewise, enabling the sync server role and syncing your address book with the Server is not required for the authentication role to work.
- Click OK. You will immediately authenticate/log in on the remote Host without entering access credentials, since you have already signed in on the Server in the Viewer.
Mass-deployment of the Hosts with custom server security enabled
If you need to deploy the Host on multiple remote machines it would be suboptimal to set permissions manually on each separate Host. Instead, use the MSI Configurator to build your Host installer and pre-configure Custom Server Security settings. You can then deploy the Host across your network and have permissions already set after Host installation.
Follow the same configuration routine as described above. The only difference is that Host configuration (Step 2) is done during MSI configuration rather than on a single Host installation. See Step 4a of the MSI Configuration process.
If you have multiple techs with different permissions, you need to carefully plan ahead your MSI Configuration and permission setting process. We highly recommend that you use groups in addition to individual user accounts. Groups allow you to quickly block or re-enable access for certain techs by simply moving their user account from one group to another. You can create a custom Host installer for each remote site (department, office etc.) and enable access to that installer for a certain group only.
Let's assume you have three departments: Marketing, Sales and Production. There are 10 techs in your company that need to remotely access computers in these three departments. Some techs should only be allowed access to some departments but not all.
One of the ways to implement this scenario would be as follows:
- On the Server create 10 user accounts — one for each tech, and three groups — Marketing, Sales and Production (see how in the Step 1 above).
- Use the MSI Configurator to create a custom Host package for each department. When setting Custom Server security permissions, only allow/add one group in each package. So you'll have three Host packages with "allow" permissions set for Marketing, Sales and Production groups respectively.
- Deploy Hosts in each department from the respective packages.
- Now in order to allow (or deny) access to Hosts in a given department to a certain tech, you only need to add (or remove) that tech to/from the respective group in the Server settings. For example, if you add tech A to the "Marketing" group, that tech will be able to access Hosts in the Marketing department. You can also add the same account to multiple groups, so the tech will be able to access Hosts in multiple departments.
The example above shows that in order to change your security policy you do not have to change settings on remote Hosts. You only need to make changes on the Server. This lets you manage your Host permissions centrally from one place.