Server role: Authorization
You can use the Server to authenticate users and control how they further access the remote Hosts connected to the Server. This authorization method is called Custom Server Security.
Custom server security benefits include:
- Centralized permissions management. Remote access permissions are managed on the Server. You can quickly disable any tech's access to remote Hosts without having to change permission settings on the Hosts (end-points).
- Single sign-on. A tech can sign in on the Server in their Viewer once and then log in on remote Hosts in one click without having to enter access credentials for specific Hosts.
Follow the steps below to set up custom server security.
Step 1: Create users and groups
First, on the Server you need to create users and groups whom to grant access to your Hosts.
- Install the Server and make sure it is accessible to Viewers and Hosts.
- Open the Admin Console and click File ➝ Address book manager.
- In the left pane right click on Users and select Create new user...
- Enter a desired username in the User logon name field and click Change password....
Starting from Server version 2.7 you can enable the check box Force custom server security for a given user. If this check box is enabled, the user will only be able to connect to the Hosts using the Custom server security authentication method provided that this user has signed in on the Server first (a user who has not signed in on the Server is beyond "the Server's control" and cannot be forced to use a specific authentication method).
- Set a new password, click OK and close the user dialog:
- Apply the changes by clicking a green checkmark icon on the toolbar:
Important!Whenever you make changes in the Server's Address Book Manager, click the green check mark to apply them. Otherwise, the changes won't be saved.
- A new user has been created:
- (Optional) Create a group by right-clicking the Groups item and selecting Create new group.. from the menu. You can add users to your groups on the Members tab:
On the Host side you must enable Custom Server Security authorization method and select users and/or groups whom you want to grant access to this Host.
Step 2: Enable custom server security and set permissions
- Right-click on the Host icon in the system tray and select Settings for Host:
- Click Settings for Host ➝ Security:
- Click Advanced:
- Navigate to Custom server security tab:
- Select Use custom server security and click Servers:
- Click Add:
- Enter the IP address or hostname of your server and click OK:
Make sure you use correct communication port. The default port is TCP 5655 but you may change it as well as add multiple ports in the server configuration dialog.
- In the Servers dialog click OK:
- Make sure your server is selected in the dropdown menu and click User access:
- You must sign in on the server before you can set permissions. Enter your server account credentials and click OK:
- Click Add:
- Select the user or group whom you want to grant access to this Host and click OK:
- Select the necessary permissions for the user and click OK:
In the example above you signed in as the user JohnDoe to set permissions for the same. However, you can sign in as any user to set permissions also for any user. In subsequent updates special administrator accounts and groups will be added to program functionality.
- Close all Host settings windows.
In order to access the remote Hosts you are permitted to access, you need to sign in on the Server in your Viewer app.
Step 3: Add the Server in the Viewer settings
- In the Viewer click Manage ➝ Server manager....
- Click Add:
- Enter a descriptive name, server address and port and click OK. The port here is the communication port used by the server. You can change it in the server configuration window.
For the purpose of this tutorial, we use the server that resides in the same LAN as the Viewer. Hence the private IP address (192.168..). It is most likely that in your scenario the server is located outside the network (i.e. on the Internet), so you'll need to specify the correct IP address or DNS name and make sure that the server can be accessed by your Viewer and Hosts.
- The server has been added to your servers list. Now you'll be able to select it from the dropdown menu when signing in (see below). Click OK:
Step 4: Sign in on the Server
- Click Sign in at the top right corner of the Viewer window:
- In the sign-in window enter your login and password which were set during server configuration. Make sure your server is selected in the dropdown list and click OK:
- It may take the Viewer a few seconds to sign in:
- You will know that you have signed in by looking at the top right corner of the Viewer window. It should display your username:
Step 5: Connecting to the Host
- In the Viewer click Add connection:
- Enter a descriptive name and the address of the remote PC. This can be its IP address, Internet-ID or DNS name. Click OK:
The authorization server role is not tied to a specific connection type — you can use both direct connection and Internet-ID connection.
Likewise, enabling the sync server role and syncing your address book with the Server is not required for the authorization role to work. You can as well use the local address book.
- Provided you have enabled the Connect now checkbox above you will authorize on the remote Host immediately without the need to enter your access credentials, since you have already signed in the Viewer.
Mass-deployment of the Hosts with custom server security enabled
If you need to deploy the Host on multiple remote machines it would be suboptimal to set permissions manually on each separate Host. Instead, use the MSI Configurator to build your Host installer and pre-configure Custom Server Security settings. You can then deploy the Host across your network and have permissions already set after Host installation.
Follow the same configuration routine as described above. The only difference is that Host configuration (Step 2) is done during MSI configuration rather than on a single Host installation. See Step 4a of the MSI Configuration process.
If you have multiple techs with different permissions, you need to carefully plan ahead your MSI Configuration and permission setting process. We highly recommend that you use groups in addition to individual user accounts. Groups allow you to quickly block or re-enable access for certain techs by simply moving their user account from one group to another. You can create a custom Host installer for each remote site (department, office etc.) and enable access to that installer for a certain group only.
Let's assume you have three departments: Marketing, Sales and Production. There are 10 techs in your company that need to remotely access computers in these three departments. Some techs should only be allowed access to some departments but not all.
One of the ways to implement this scenario would be as follows:
- On the Server create 10 user accounts — one for each tech, and three groups — Marketing, Sales and Production (see how in the Step 1 above).
- Use the MSI Configurator to create a custom Host package for each department. When setting Custom Server security permissions, only allow/add one group in each package. So you'll have three Host packages with "allow" permissions set for Marketing, Sales and Production groups respectively.
- Deploy Hosts in each department from the respective packages.
- Now in order to allow (or deny) access to Hosts in a given department to a certain tech, you only need to add (or remove) that tech to/from the respective group in the Server settings. For example, if you add tech A to the "Marketing" group, that tech will be able to access Hosts in the Marketing department. You can also add the same account to multiple groups, so the tech will be able to access Hosts in multiple departments.
The example above shows that in order to change your security policy you do not have to change settings on remote Hosts. You only need to make changes on the Server. This lets you manage your Host permissions centrally from one place.