Devolutions 4.6 Server User Manual

Devolutions 4.6 Server User Manual
Add to My manuals

Below you will find brief information for Devolutions Server 4.6. Devolutions Server is a self-hosted repository and management platform that offers a web-based password vault and session management capabilities. It's compatible with all 64-bit versions of Windows. The platform follows certain design guidelines to preserve full version history of data, be it modifications or deletions. It also has an extensive logging layer to provide full visibility on activity carried out while using the system.

advertisement

Assistant Bot

Need help? Our chatbot has already read the manual and is ready to assist you. Feel free to ask any questions about the device, but providing details will make the conversation more productive.

Devolutions Server 4.6 User Manual | Manualzz

4.6

Contents | 3

Table of Contents

Part I Overview

1

What is Devolutions Server?

2

Features

3

System Requirements

4

Topologies

5

Fault Tolerance

Part II Gettin g Started

1

Security Checklist

2

Small Business Edition

Part III In stallation

1

Web role - Install 2012R2

2

Web role - Install pre 2012R2

3

Database Instance

4

Create Devolutions Server instance

Part IV Upgradin g Devolu tion s Server

1

Upgrading to 3.0

2

Upgrading to 3.2

3

Upgrading to 4.0

4

Upgrading to 4.5

5

Upgrading to 4.6

Part V Man agemen t

1

Devolutions Server Console

2

Authentication

3

Security

7

43

53

4

Advanced

5

Server Settings

General

.......................................................................................................................................................... 64

Database

.......................................................................................................................................................... 65

© 2017 Devolutions inc.

17

21

3

4 | Devolutions Server

Domain

.......................................................................................................................................................... 68

Duo ......................................................................................................................................................... 72

SMS ......................................................................................................................................................... 73

Security

.......................................................................................................................................................... 74

IIS

Email

.......................................................................................................................................................... 77

.......................................................................................................................................................... 78

Logging

.......................................................................................................................................................... 82

Features

.......................................................................................................................................................... 84

89

Part VI Web In terface

1

Home

2

Connections

3

Administration

4

Reports

5

Tools

Part VII How -To

1

How to Configure Client Data Source

2

How to Configure Devolutions Server to use integrated security

3

How to Configure SSL

4

How to update your registration serial after a renewal

5

How to Configure Two-factor Authentication (2FA)

101

6

How to Configure Security Groups and Roles with AD Integration

7

How to Configure Scheduler in Devolutions Server

8

How to Configure Notifications

9

How to enable the Devolutions Server logs

© 2017 Devolutions inc.

Contents | 5

10

How to import users from LDAP

11

How to configure Windows Authentication

Part VIII Su pport/Resou rces

1

FAQ (Frequently Asked Questions)

2

Follow Us

3

Previous Versions

4

Technical Support

5

Knowledge Base

189

Backup

.......................................................................................................................................................... 200

6

Troubleshooting

© 2017 Devolutions inc.

5

Overview

Part I

8 | Devolutions Server

1 Overview

1.1

Wh at is Devolu tion s Server?

Description

Devolutions Server is an on-premise repository for storing and sharing remote connections, credentials and sensitive information.

Since it is an on-premise solution, it becomes quite a unique offering as it offers what seems to be a consumer grade experience, in a corporate grade solution.

There are two ways of using Devolutions Server

Web based Password Vault

Browser access & Devolutions Web Login

Add, edit, or delete entries of various types.

Passwords can be viewed directly using a web browser. Credentials can be automatically submitted by our Devolutions Web Login when installed in a supported web browser.

Note that remote access technologies (RDP,

VNC, etc) are not supported within a web browser.

Password Vault and Session Management

Client application (desktop or mobile)

Devolutions Server runs on an application server and it offers storage services, caching, and many advanced features to our client applications.

Full edition capabilities, including more supported entry types, make our Devolutions Server the preferred tool for IT specialists.

Unlike with browser access, Remote Desktop

Manager can launch sessions using remote access technologies.

Highlights

© 2017 Devolutions inc.

Contents | 9

High-End Server

Installed on-premise on an application server. Store an unlimited amount of entries and manage access to these entries with our Role Based Security

System.

Full Active Directory (AD)

Integration

Users accessing the system will be granted permissions based on their membership in specific AD groups, making user management almost seamless for organizations that use AD to manage teams.

Sharing

Share your sessions, credentials, and sensitive data with multiple users.

Web Architecture

Implemented using a Web architecture so it can exposed publicly on the Internet or only to your Intranet or private

cloud.

Web Access

Paired together to ease credential management, use a web browser to manage the content of your shared data source, and our Devolutions Web

Login to automatically log in to web sites.

Database Isolation

The SQL database is protected from direct user access. This may be required in order to be compliant with a security regulation at the corporate or legal level. (HIPAA, PCI, etc.)

Two-Factor

Authentication

Widest choice of

Two-factor authentication (2FA) providers.

Many providers can be enabled concurrently. They can selectively be enforced per user.

Email Notifications

Optionally receive email notifications for various events on sessions, users, roles, etc.

IP Restrictions

Controlling access to

Devolutions Server from IP addresses / ranges, including

GeoIP restriction and IP whitelisting / blacklisting

1.2

Featu res

Description

Caching

Server caching for better performance, this is in addition to the optional client-side caching built in our desktop/mobile clients.

© 2017 Devolutions inc.

10 | Devolutions Server

User Management

Role based security system that grants permissions based on role membership. Roles which can be direct tie-ins to Active Directory groups.

Two-Factor Authentication

Widest choice of

2-Factor authentication providers, as well as granularity at the user

level over which provider is used.

IP Restrictions

·

Controlling access to Devolutions Server from IP addresses / ranges.

o

GeoIP restriction o

IP whitelisting / blacklisting

·

Login history

·

Failed login attempts history

Security Aspects

· Inherited permissions which can be granular down to entries (view, add, edit, delete)

·

Connection data encryption with passphrase or certificate.

·

Per machine setting/credential custom values

Syslog Integration

Centralize all your logs in a protected repository.

Active Directory Integration

·

Windows authentication

·

Role based security system bound to Active Directory Groups for automatic grant of permissions.

·

Automatic user account creation based on Active Directory, optionally limited to a specific AD group

Scheduler

· Backup: scheduled backup for the SQL Database and instance data.

· Notifications: used to send email notifications to specific users that include any activities on sessions, roles, users, etc.

© 2017 Devolutions inc.

Contents | 11

System Policies

Control features available to users.

History of Changes

Monitor user activity for changes in users, roles, repositories, and data source settings.

Unlimited Entries

Although we do not limit the number of entries that can be stored in your instance, there comes a point where the performance is severely affected by the sheer volume of data exchanged between the client and server. This is made worse by using custom images and storing sizable notes within entries. The solution is to make use of the repositories feature.

Desktop / Mobile clients

The client applications offer the most required features to meet an IT specialist daily challenges, supporting a great number of remote access technologies, such as RDP, VNC, SSH, and more. IT professionals of our community mostly use Remote Desktop Manager.

1. Remote Desktop Manager

· Remote Desktop Manager Enterprise - Windows Edition

·

Remote Desktop Manager Enterprise - Mac Edition

·

Remote Desktop Manager - Android Edition

·

Remote Desktop Manager - iOS Edition

·

Remote Desktop Manager - Amazon FireOS Edition

2. Password Vault Manager

·

Password Vault Manager Enterprise - Windows Edition

·

Password Vault Manager Enterprise - Mac Edition

·

Password Vault Manager - Android Edition

· Password Vault Manager - iOS Edition

· Password Vault Manager - Amazon FireOS Edition

1.3

System Requ iremen ts

Minimum Requirements

Devolutions Server needs Microsoft .Net Framework 4.5.2 to function, but Remote

Desktop Manager 12.0 requires version 4.6. Please adapt your environment depending on which version you are running.

·

Microsoft .Net Framework 4.5.2

·

Please refer to the requirements for the .Net Framework for operating systems, as it is the driving force behind the requirements of our applications.

·

500+ MB hard drive capacity.

© 2017 Devolutions inc.

12 | Devolutions Server

64-bit Support

Devolutions Server is compatible with all 64-bit versions of Windows.

Dependencies

· Microsoft SQL Server 2012/2014/ 2016 (including Express editions)

· Internet Information Services (IIS) 7.0 or better.

·

Remote Desktop Manager Enterprise - Windows Edition must be installed on the server to manage the Devolutions Server instance(s).

Server sizing

Many customers often ask how to properly customize their servers for various topologies. This is essentially unreliable because the way the system is used has a significant impact on the

resource usage of each node within the chosen Topology

.

For a proper estimate, the following aspects must be considered: o

Number of entries stored in your instance (server details, credentials, etc.).

o

Churn of these entries; do you create entries daily or are they quite static?

o

Number of concurrent users that connect to the Devolutions Server instance during peak times.

o

Usage of information by the users. Are they launching 10 sessions at a time, doing a batch operation that takes a few minutes, then repeating the cycle, or are they opening only a few sessions but working within them all day long. This results in write operations to our logs, therefore the former case is more intensive then the latter.

That being said, the great majority of setups that we have seen work well with nodes of 4GB RAM and a dual CPU. Most of these are virtualized environments, so granting more resources is relatively simple.

1.4

Topologies

Description

Devolutions Server instances can be installed through different topologies. The following are examples of different topologies serving various purposes.

Single Server Topology

The Devolutions Server and the SQL Server can be installed on the same machine for a small team up to 20 users. Having Devolutions Server and SQL Server on the same machine could result in certain performance issues if you attempt to serve more than 20 users.

© 2017 Devolutions inc.

Contents | 13

Same server installation

Recommended Basic Topology

A recommended basic topology consists of two servers, one for the Devolutions Server and one for the

SQL Database. By doing so, all queries are made by the SQL server and performance is less affected on the application server.

High Availability Topology

© 2017 Devolutions inc.

Basic topology

14 | Devolutions Server

Database layer only

For a high availability of the Database, Database Mirroring can be used which replicates data to a partner server. The fail over partner server will be ready at anytime when the main server becomes unavailable. This ensures that the Devolutions Server is still accessing the Data Source and is transparent for Remote Desktop Manager users.

High availability topology

Load Balancing Topology

To ensure maximum performance of the Devolutions Server, it can be deployed as a load balancing

Devolutions Server topology as illustrated in the image below. It can either be a physical or software load balancing system.

© 2017 Devolutions inc.

Contents | 15

Load balancing Devolutions Server topology

Devolutions Server Instance Manual Failover

To those customers that do not wish to purchase a load balancer, or are seeking a more simplified topology to their system, can simply utilize two Devolutions Server Instances on two different web servers, but direct them to the same SQL Server database. By registering both instances as separate data sources in the client applications, users can manually toggle between servers in the scenario that one becomes unresponsive.

© 2017 Devolutions inc.

Manual failover with two Devolutions Servers

16 | Devolutions Server

1.5

Fau lt Toleran ce

Description

The Devolutions platform follows certain design guidelines to preserve full version history of your data, be it modifications or deletions. It also has an extensive logging layer to provide full visibility on the activity carried out while using the system. These design choices impact the choices offered to you when you wish to provide fault tolerance at the database level.

Impact on technological choices

Because of all of the write operations that occur behind the scenes, it means that you cannot have a topology other than ACTIVE/PASSIVE. The standby replica must be kept in sync at all times, but left untouched. There can be only ONE database in use at any one time. You can use both Microsoft technologies of mirroring or clustering, but what is key is that the replicated content is only accessed when the master content is unavailable.

Mirroring as a way to share with distant teams

The consequence of keeping replicated data untouched means that replication is NOT the proper solution to use whenever you have multiple teams and you wish to share a set of master data across them. For this scenario it is best to use a mix of:

· Synchronizers , particularly the one for RDM data

· PowerShell scripting (to export a specific branch of your tree)

© 2017 Devolutions inc.

Getting Started

Part II

2

18 | Devolutions Server

Getting Started

Description

This topic is for Devolutions Server - Corporate Edition. If rather you have

purchased Devolutions Server - Small Business Edition, please consult Getting

Started - Small Business Edition

After completing your purchase of the Devolutions Server - Corporate Edition, an email will be sent with

three license serials. Each license allows running a Devolutions Server instance. An instance is in itself a web server application which acts as a back-end for our client applications. You can think of it as a specialized database for your data. All instances can be installed on the same physical server, or spread across many.

Devolutions Server can be installed through different topology types. Please consult

Topologies

for additional information.

Domain requirements

These requirements apply only if you intend to use Automatic User Account Creation (see

Authentication) and/or

Roles to manage your instance.

Create Active Directory groups to manage your instance. Typical examples are: RDM

Admins, RDM Operators, RDM Users

Add domain users to the Active Directory groups;

Checklist for installing and running Devolutions Server

Software requirements on the server hosting the instance

Microsoft .Net Framework 4.5.2 (It can be installed through the Microsoft Web Platform

Installer ).

Microsoft SQL Server (see

Database Instance ) if you intend to host the solution on a

single server.

Internet Information Services (IIS) 7.0 or better (see https://technet.microsoft.com/enca/library/hh831475.aspx#InstallIIS ).

Remote Desktop Manager Enterprise - Windows Edition .

Installation steps

Create a new instance of Devolutions Server (see

Create Devolutions Server instance

).

Create a Devolutions Server administrator account in the

User Management

.

Create security groups and roles (see

Security Group Management ,

Role Management

and Security - Best practices ).

Add domain users or built-in users (see

User Management

).

© 2017 Devolutions inc.

Contents | 19

2.1

Secu rity Ch ecklist

Description

To achieve the highest level of security, you should adhere to the following guidelines.

These recommendations are valid ONLY if the Devolutions Server instance is hosted on an intranet EXCLUSIVELY. You must involve a person with knowledge of

Internet security to safely host any application on the Internet. You need to protect the site from Denial of Service attacks using an appliance or a security module that is external to Devolutions Server.

General

·

Use Windows Authentication exclusively.

SQL Server

· Enable only the Windows Authentication Mode

· Create a domain account that will be used to create the database (RDMOwner), as well as another account that will be used by the web server to connect to the database (RDMRunner).

The latter must have only the minimal set of permissions for perform its tasks.

· Communicate ONLY through an encrypted connection (SSL).

Web Server

· Configure the application pool to use domain credentials. This account will be added to the SQL

Server as a login and be granted only the permissions that are needed (RDMRunner).

·

Serve content through SSL (https). See

Configure SSL

2.2

Small Bu sin ess Edition

Description

After the purchase of the Devolutions Server - Small Business Edition, an email is sent with the license serial. This key allows you to create a new instance of Devolutions Server.

The installation procedure is available at

Devolutions Server Installation

Please check your junk/spam mail folder if you do not see the email in your inbox.

Domain requirements

These requirements apply only if you intend to use Automatic User Account Creation (see

Authentication) and/or

Roles to manage your instance.

© 2017 Devolutions inc.

20 | Devolutions Server

Create Active Directory groups to manage your instance. Typical examples are: RDM

Admins, RDM Operators, RDM Users.

Add domain users to the Active Directory groups.

Check list for installing and running Devolutions Server

Software requirements on the server hosting the instance

Microsoft .Net Framework 4.5.2 (It can be installed through the Microsoft Web Platform

Installer ).

Microsoft SQL Server database (see

Database Instance ).

Information Services (IIS) 7.0 or better (see https://technet.microsoft.com/enca/library/hh831475.aspx#InstallIIS ).

Remote Desktop Manager Enterprise - Windows Edition

Installation steps

Create a new instance of Devolutions Server (see

Create Devolutions Server instance

);

Create a Devolutions Server administrator account in the

User Management

;

Create Security Groups and Roles (see

Security Group Management

, Role Management

and Security - Best practices )

Add domain users or built-in users (see

User Management

)

For more detailed information about Devolutions Server, please consult the others sections of this online help.

© 2017 Devolutions inc.

Installation

Part III

3

22 | Devolutions Server

Installation

Topology

If you have received your serial licenses keys, please refer to the

Getting Started topic.

A Devolutions Server instance is in fact a Web application. This allows for exposing its services on the

Internet or an intranet.

The recommended topology is the use of two servers: a Database server and a Web server. For smaller installations, a single server can be used, but resources will be shared between the two roles, thereby minimizing performance.

Remote Desktop Manager Enterprise - Windows Edition must be installed on the web server in order to manage the Devolutions Server instance.

Please ensure before starting the installation that you have .NET 4.5.2 installed on your machine.

It's highly recommended to enable SSL Encryption to protect communication with the instance of the SQL Server. Please follow the instructions on http://support.microsoft.com/kb/316898 Note that we recommend this be done after the initial setup is complete.

For full active directory integration, the application pool uses a domain identity, both servers need to be joined to the domain.

How to install the server

Web Server pre-requisites

Please refer to the appropriate topic depending on the operating system of the web server.

Web role - Install pre 2012R2

Web role - Install 2012R2

After you have installed the pre-requisites, test the IIS installation by navigating to http://localhost . Do not proceed further if you do not see the IIS welcome screen.

There are issues that must be resolved.

Database server pre-requisites

Please refer to

Database Instance

© 2017 Devolutions inc.

Contents | 23

Create Devolutions Server Instance

Please refer to

Create Devolutions Server instance

3.1

Web role - In stall 2012R2

Description

Configuration of the Web server in Windows 2012 R2 is a significant departure from previous versions.

These steps are mainly manual at this time. They were performed on a Windows 2012 R2 image that had been installed from the DVD image with the Windows Updates applied.

Install the Web Server Role

Using the Roles and Features wizard, in the Roles page, add the Web Server (IIS) role and click

Next.

Roles and Features Wizard - Web Server (IIS)

Install ASP.Net

We recommend using the web platform installer to install the .NET framework. .NET 4.5 is an "in-place" upgrade of the framework and is complex to determine which version is install.

Make sure that ASP.Net 4.5 is installed on your Windows server.

Add Missing Role Services

In the Security branch, enable the following authentication services: Basic, Digest, and Windows.

© 2017 Devolutions inc.

24 | Devolutions Server

Web Server services

Register ASP.NET in IIS

This is best achieving using the Web Platform Installer. In IIS Manager, when the server node is selected, you will notice "Get New Web Platform Components". Use this to install the Web Platform

Installer.

© 2017 Devolutions inc.

Contents | 25

IIS Manager with Command to install WPI

When you launch the WPI, highlight the Products category and browse for Asp.net registration, Add it, and select Install.

Install URL Rewrite module 2

This is best achieving using the Web Platform Installer. Search for URL Rewrite in WPI, add it and select install.

You can also download it on this web page https://www.iis.net/downloads/microsoft/url-rewrite .

Allow for Configuration Personalization by Web Applications.

© 2017 Devolutions inc.

26 | Devolutions Server

New to this IIS release, certain configuration settings are locked down at the root of the web site. Since

Devolutions Server requires specific directives, we need to allow for web applications to adapt the configuration at their level.

This is easiest when using the APPCMD executable. Open an elevated command prompt (Run As

Administrator). Set the working folder to %windir%\system32\inetsrv\ and run the following two commands.

appcmd.exe unlock config -section:system.webServer/handlers appcmd.exe unlock config -section:system.webServer/modules

3.2

Web role - In stall pre 2012R2

Description

This section illustrates the first version instructions applicable to a server running Windows 2008 up to

2012 (R1)

We recommend using the web platform installer to install the .NET framework. .NET 4.5 is an "in-place" upgrade of the framework, and can be rather complex to determine which version is installed.

Web Server Pre-requisites

Make sure "Internet Information Services" is installed with all the ASP.NET requirements.

© 2017 Devolutions inc.

Contents | 27

Windows features

3.3

Database In stan ce

Description

Install SQL Server Express or Standard. Download SQL Server 2016 Express from Microsoft's site .

If full integration with Active Directory is required, you can decide to activate Windows Authentication solely. Please refer to the MSDN online help for full details.

Under Windows authentication, you must set the Application Pool identity to an account from the domain. We recommend creating a dedicated account for this purpose. Please refer to

Configure

Devolutions Server to use integrated security for instructions that need to be performed AFTER creating

the Devolutions Server instance.

Devolutions Server has no requirements that would dictate which communication protocol is used, as well as many of the options offered to you by the SQL Server instance. As long as the client workstation can connect to the SQL Server instance, Devolutions Server will run effectively. Please refer to the

Microsoft Documentation in order to allow connectivity to the instance.

© 2017 Devolutions inc.

28 | Devolutions Server

3.4

Create Devolu tion s Server in stan ce

Description

If you have recently received your serial licenses keys, please refer to the

Getting

Started

topic.

The Devolutions Server product can host multiple instances that will each reside in their own Web

Application within IIS. The following steps are carried out using the Remote Desktop Manager Enterprise

- Windows Edition.

Procedure

1. Install Remote Desktop Manager Enterprise - Windows Edition on the web server. It is available from the Download page

2. Execute Remote Desktop Manager Enterprise - Windows Edition with elevated privileges (run as administrator). This is performed by right clicking on the application, and selecting Run as

administrator.

Run Remote Desktop Manager Enterprise -

Windows Edition with elevated privileges

3. Open the console by selecting Tools > Devolutions Server Console.

Tools ribbon

© 2017 Devolutions inc.

Contents | 29

All operations performed through the console are done with the credentials used to launch Remote Desktop Manager. If you must use other credentials, you will need to launch another window session. The RunAs command does not offer the option of starting a process with elevated privileges.

4. Deploy a new server instance.

Devolutions Server Console

5. The first dialog shows if the IIS Server has all the necessary prerequisites installed, and is ready to run Devolutions Server. If any error appears with the red X, please resolve this issue before proceeding.

© 2017 Devolutions inc.

30 | Devolutions Server

IIS Prerequesites

6. Configure the instance by personalizing the name and description to your liking. Enter the serial license key that was sent by email, or you may Request a trial

© 2017 Devolutions inc.

Contents | 31

Devolutions Server Registration dialog

7. Select a zip file or use the automatic download function. Choose a destination folder, and an IIS virtual directory name. The process to run Web sites has been granted the proper permissions under c:\inetpub\wwwroot. We recommend you create a new folder beneath it, and create the

Devolutions Server instance under that folder.

© 2017 Devolutions inc.

32 | Devolutions Server

Source or Destination

Create and select folder

© 2017 Devolutions inc.

Contents | 33

8. Enter the Server and Database settings, and create the database with the Create Database button.

The user account that you are using to create the database must has sysadmin privileges in the SQL

Server instance. Consult the

Database topic for more information. If you wish to use Integrated

Security option to connect to the database, it is important to change the Application Pool Identity in the IIS Manager and set the proper permission of the service account on the SQL database. Please consult

How to Configure Devolutions Server to use integrated security

.

Database dialog

9. You must choose the authentication options. For the initial setup, we recommend enabling

Authenticate with Devolutions Server custom user. This guarantees connectivity for the first steps, that can be later disabled. If you are connected to a domain, refer to the

Authentication server settings

for further information.

© 2017 Devolutions inc.

34 | Devolutions Server

Authentication Settings

10. Make sure the Internet Information Services (IIS) is installed in order to proceed with the installation of Devolutions Server.

© 2017 Devolutions inc.

Contents | 35

IIS Settings

11. Ensure the ASP.NET State service has begun or set to automatically start. The State Service is required to maintain the web session information between each call. If you select "Start ASP.NET

State Service and receive a response of "Service is not installed", this means that ASP.NET has not been installed correctly.

© 2017 Devolutions inc.

36 | Devolutions Server

ASP.Net State Service configuration

12. Configure the email settings. You can decide to disable this feature by using the check box.

© 2017 Devolutions inc.

SMTP Configuration page

13. You can enable the Devolutions Proxy here.

© 2017 Devolutions inc.

Contents | 37

38 | Devolutions Server

14. Once all the steps are completed, click Install.

© 2017 Devolutions inc.

Contents | 39

Installation summary report

15. Once the installation is complete, a window will open to confirm that the deployment of the server has been performed.

© 2017 Devolutions inc.

40 | Devolutions Server

Installation completed

16. Create at least one administrator user account.

You must create an administrator account if you've enabled the Devolutions Server

Authentication model. In other cases, the account name must match with the chosen authentication model. If you are unsure of the result, also enable Devolutions Server authentication, create an administrator account and grant the Administration privilege to the account. Please refer to

User Management

for further information about creating user accounts.

After the successful authentication with the other model, the Devolutions Server user account will have been created and you will be able to see how to format your account names. You can then disable the Devolutions Server authentication model. Please see

Automatic User Account Creation section in the topic

Authentication .

17. You can test the server installation by opening the URL (e.g.: http://localhost/DVLS ) or by clicking on the globe icon in the Devolutions Server Console.

© 2017 Devolutions inc.

Contents | 41

Devolutions Server Console

18. You can also test the connection from the client by creating a data source with the Register button

from the Devolutions Server Console. Please refer to How to Configure Client Data Source for more

information.

© 2017 Devolutions inc.

Upgrading Devolutions Server

Part IV

4

44 | Devolutions Server

Upgrading Devolutions Server

Upgrade

It is highly recommended as a best practice to first deploy the new version of Devolutions Server to a staging instance and verify its stability before deploying it to your whole organization. If you do not have a staging instance we then recommend a limited roll-out to ensure the work flow is supported to your satisfaction prior to impacting your whole team.

Some new releases will have additional steps, please consult these topics as appropriate. Consult all versions sequentially from the version you are starting from.

·

Upgrading to 3.0

·

Upgrading to 3.2

·

Upgrading to 4.0

·

Upgrading to 4.5

These steps are intended to be achieved on a single server or a basic

topology

. If your environment differs from these topologies, please contact us and we will guide you on how to upgrade Devolutions Server.

Workflow

· Ensure that the instance users have the offline mode enabled and that they all perform a full refresh of the cache (CTRL+F5)

· Have your team switch to the offline mode, allowing them to work while the system is down

· Perform a full backup of the database, take precautions against that backup file being deleted by a maintenance plan.

· Archive the content of the folder containing the Devolutions Server instance (zip)

· Update the Maximal version of Remote Desktop Manager in Administration - Data Source

Settings - Version Management - Maximal version, if this option was set before the upgrade.

· Install the desired version of Remote Desktop Manager Enterprise - Windows Edition

· Run with elevated privileges in order to access the Devolutions Server Console

·

Choose the Devolutions Server instance in the console, then press the upgrade button and follow the procedure below.

·

Upon success, have a user upgrade his workstation with the same version of Remote Desktop

Manager and test connectivity with the server instance.

·

When you are satisfied, have the rest of the staff upgrade to the same version of Remote

Desktop Manager.

·

Update the Minimal version of of Remote Desktop Manager in Administration - Data Source

Settings - Version Management - Minimal version, if this option was set before the upgrade.

Wizard Steps

1. Open the

Devolutions Server Console .

2. Run the Server Diagnostic to ensure you have the current prerequisites.

© 2017 Devolutions inc.

Contents | 45

Devolutions Server console

3. Select the instance that you wish to upgrade.

4. Click the Upgrade server button.

Upgrade source

5. Select upgrade source. You can either use the latest General Availability release that is available online automatically, or specify the path to a zip file that you have downloaded yourself. Use this for beta releases or for earlier versions.

Select upgrade source

6. Press Next.

7. Review the summary and press Upgrade if you are satisfied.

© 2017 Devolutions inc.

46 | Devolutions Server

Upgrade completed successfully

4.1

Upgradin g to 3.0

Description

Please contact the support team for an appointment. We will perform the upgrade with you in a remote session.

4.2

Upgradin g to 3.2

Description

Please contact the support team for an appointment. We will perform the upgrade with you in a remote session.

Errors

After upgrading Devolutions Server to version 3.2.0.0, it is possible that none of the users can authenticate on the server.

© 2017 Devolutions inc.

Error dialog from Data Source login attempt

Contents | 47

Error from Web interface login attempt

Cause 1 - Username format is incorrect

It will be impossible to authenticate in Devolutions Server version 3.2 if the user name format used is only the Username instead one of NETBIOS (Domain\Username) or UPN ([email protected]). A database script needs to be run in order to prefix the domain name in the user name field. We can send the script upon request, but we would prefer to perform this task with you in a remote session.

Cause 2 - Account authentication type is not specified

The account authentication type is not specified, follow these steps:

1. On the computer that is hosting the Devolutions Server instance, launch Remote Desktop Manager with elevated privileges and open the Devolutions Server Console from the Tools menu.

© 2017 Devolutions inc.

48 | Devolutions Server

Remote Desktop Manager Enterprise - Windows Edition Tools menu

2. Select the Devolutions Server instance and click on the User Management button.

Devolutions Server - Console

3. Edit each user and check if the Authentication type is editable. This means that the authentication type is not specified and it was guessed by the application. Please DO NOT CHANGE THE

AUTHENTICATION TYPE and click on the OK button to save the Authentication type.

User Management dialog

4. Or you can use the Batch edit button in the User Management dialog to modify two or more users at the same time. Select all users with the same Authentication type and click on the Batch Edit button.

© 2017 Devolutions inc.

Contents | 49

5. Check the second Override check box, select the correct Authentication type form the drop down list and click on the OK button.

© 2017 Devolutions inc.

50 | Devolutions Server

6. If the Authentication type is currently saved in the database, then it is impossible to modify it to another authentication type. Be sure to select the correct Authentication type before saving any modifications.

4.3

Upgradin g to 4.0

Description

Please contact the support team for an appointment. We will perform the upgrade with you in a remote session.

Here is an overview of what to look for when upgrading to version 4.

Dependencies

This version introduces a dependency on the IIS Rewrite Module. Alas that is the name given in the list of features, but in the Microsoft Web platform installer, its labeled URL Rewrite 2.0.

Simply run the Web platform installer, search for Rewrite, and install URL Rewrite 2.0

Alternatively, you can download directly from https://www.iis.net/downloads/microsoft/url-rewrite and perform a manual install.

Significant changes

Administration Credentials

© 2017 Devolutions inc.

Contents | 51

To work around the fact that a growing number of our users have to operate in a locked down AD structure, we have had to create a feature for you to specify administration credentials. When these are specified, they will be the account used to query the AD structure instead of the user account that we are authenticating. The administration credentials must have READ privileges in all of the domains that you are accessing.

4.4

Upgradin g to 4.5

Description

Please contact the support team for an appointment. We will perform the upgrade with you in a remote session.

Dependencies

Version 4.0 introduces a dependency on the IIS Rewrite Module. Run the Microsoft Web platform installer, search for Rewrite, and install URL Rewrite 2.0

Significant changes

The encryption between the client applications and the server has been improved significantly. Please consult

Manage Encryption Keys

4.5

Upgradin g to 4.6

Description

Please contact the support team for an appointment. We will perform the upgrade with you in a remote session.

Dependencies

Version 4.0 introduces a dependency on the IIS Rewrite Module. Run the Microsoft Web platform installer, search for Rewrite, and install URL Rewrite 2.0

Significant changes

The encryption between the client applications and the server has been improved significantly. Please consult

Manage Encryption Keys

© 2017 Devolutions inc.

Management

Part V

54 | Devolutions Server

5 Managem ent

5.1

Devolu tion s Server Con sole

Description

Because Devolutions Server is in fact a web application, the management interface is provided by

Remote Desktop Manager Enterprise - Windows Edition. The management interface is called the

Devolutions Server Console.

Console

1. Because the Devolutions Server Console manages the IIS metabase, Remote Desktop Manager must be started with elevated privileges when the console needs to be used. Elevated privileges are granted when you use "Run as Administrator" to launch the application. You can modify the shortcut to always start it in this manner if you prefer.

2. Select Tools - Devolutions Server Console

Tools ribbon

Actions

Devolutions Server Console

© 2017 Devolutions inc.

·

New

· Edit

· Delete

·

Upgrade

· Refresh

·

Manage Users

·

Manage Groups

·

Manage Roles

·

Import Users

·

View Logs

·

View web client

· Explore Content of web site directory

· Register the Devolutions Server as a Data Source

·

Server Diagnostic

· Pack data source

· Advanced o

Manage Encryption Keys

5.2

Au th en tication

Description

Devolutions Server supports multiple authentication models.

Contents | 55

© 2017 Devolutions inc.

56 | Devolutions Server

Authentication tab

Settings

Authentication Modes

Option

Authenticate with domain user

Authenticate with

Devolutions Server custom user

Authenticate with local machine user

Authenticate with database user

Description

The domain is used to authenticate the user.

The Devolutions Server is used to authenticate the user. You must create the initial user through the console.

The application allows a local user to be authenticated on the server.

The database is used to authenticate the user.

Windows Authentication

© 2017 Devolutions inc.

Contents | 57

Enable Windows

Authentication

The application will use the current Windows authenticated user to authenticate to the Devolutions Server instance.

Automatic User Account Creation

When using authentication models other then Active Directory, obviously a user account needs to be created beforehand in order to grant access to the system.

When you are using Active Directory authentication, two choices are offered to you:

1. You can choose to create the user account manually, just as with the other authentication models; or

2. Enable Automatic Account Creation, and let Devolutions Server create user accounts as soon as they are authenticated by the domain you've linked the instance to.

After the account is created, rights and permissions are assigned either manually to the user account, or through membership in AD groups for which you have created a role mapping.

User accounts created by the server have no rights other then logging on the system.

They will be able to see and edit the objects that have no security defined. You must ensure that all sessions are protected, typically this is achieved by ensuring that all root level folders have a security group assigned to them.

Depending on the authentication mode used, the user name may be prefixed by the domain name, and the exact naming convention is controlled by the domain. For instance, for a WINDJAMMER domain that is registered as windjammer.loc, we have no way of knowing beforehand what form will be reported by the AD services. It is recommended to always enable both Devolutions Server authentication initially and create an Administrator account for the initial phase of implementation.

5.3

Secu rity

Description

The Security section of the Devolutions Server Console allows you to manage your instance. These management features are exactly the same as the one offered under the Administration tab of the various Desktop Clients, when they are connected to that instance through a Data source.

Since the latter is the one you will spend most of your time using, whenever a new instance is created, we recommend creating an administrative user, then register the instance as a data source in your

Desktop Client of choice. This will bring you in a more familiar territory and will help you get around more quickly.

If you are indeed using full AD integration, whereas the assignment of permissions comes mostly from

AD Group membership, then the roles are the mechanism that make this work.

The sections below are to cover the basic management features if you cannot use a desktop client.

·

Security Group Management

·

User Management

·

Role Management

© 2017 Devolutions inc.

58 | Devolutions Server

5.3.1

Security Group Management

Description

Security Groups are used to assign a security scheme to all entries, but we recommend you set them only on folders which will result in the child entries to inherit the security group. There is no direct

relationship between Active Directory and Security Groups. By default, every session is created without a security group, and is visible to all connected users. You can grant permissions against a group to a user account or to a role.

All sessions without security groups are considered public.

The Security Group security system will be deprecated in a future version of Remote

Desktop Manager. We recommend to use the new Role Based Security System .

Managing Security Groups

Security groups are managed from the Security Groups button of the Devolutions Server Console or from Administration - Security Groups.

Manage Security Groups from Devolutions Server Console

Manage Security Groups from Administration ribbon

Security groups have no significant properties of their own, they carry a name and a description. They are simply a linking mechanism between an entry and a security matrix (from the users or roles permissions). A Security group can be interpreted as a container of sessions.

© 2017 Devolutions inc.

Contents | 59

Security Group Management dialog

For more information, please consult

How to Configure Security Groups and Roles with AD Integration .

5.3.2

User Management

Description

With the Devolutions Server data source, you can create users and grant them permissions. You must be administrator of the database to create users and assign rights. The users management is available from the menu Users - Add User or from the Devolutions Server Console when executed locally on the server.

Devolutions Server Console

Adding a User

If you wish, you can create a user linked to a domain account or a built-in user. If the option Auto

create domain users in database has been set in the Authentication tab of the Devolutions Server settings, domain users are created automatically the first time they log-on. They don't have any rights except what is public.

© 2017 Devolutions inc.

60 | Devolutions Server

User Management dialog

Linking a Security Group to a User

You can manage the rights and groups in the Permissions tab. A user with administrator rights has access to all of the configured sessions from all groups.

© 2017 Devolutions inc.

Contents | 61

User Permission tab

Linking a Role to a User

Roles are assigned when the user is authenticated from the Domain. For more information, please consult

How to Configure Security Groups and Roles with AD Integration .

5.3.3

Role Management

Description

Active Directory groups must be created before creating Roles.

Role management is only available when the Domain authentication is enabled. This allows the server to link an Active Directory (AD) group to a role in Devolutions Server. All the role settings are applied to the users that are member of the AD group.

Devolutions Server Console

© 2017 Devolutions inc.

62 | Devolutions Server

Roles can be edited from the Devolutions Server Console locally on the server or from a remote data source by using the menu Roles.

Role Management dialog

For more information, please consult

How to Configure Security Groups and Roles with AD Integration .

5.3.4

LDAP over SSL

The LDAP over SSL (LDAPS) is a method to secure LDAP communications.

By default, LDAP communications between client and server are not encrypted. In some organizations, this could lead to a security breach.

To securize this protocole, the LDAP over SSL must be set on the server and for the client authentication.

Follow this link for further information http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx

5.4

Advan ced

Description

The Advanced menu offers advanced tools available with Devolutions Server.

© 2017 Devolutions inc.

Contents | 63

Advanced menu

Actions

·

Manage Encryption Keys

5.4.1

Manage Encryption Keys

Description

From this dialog, it is possible to manage the different encryption keys used by Devolutions Server.

Manage Encryption Keys dialog

Settings

Option

Operation

Description

·

Export

· Import

· Regenerate

Login Key The encrypted key used by Devolutions Server for logins.

Token Storage Key The encrypted key used by Devolutions Server for the token.

Password The password required to export the encryption keys into a file or import them from a file.

© 2017 Devolutions inc.

64 | Devolutions Server

5.5

Server Settin gs

5.5.1

General

Description

General tab

Settings

General

Option

Name

Description

Registration

Option

Description

Enter the name for your server, it will be displayed in the Content area.

Enter a short description or additional information.

Description

© 2017 Devolutions inc.

Serial

Request trial

5.5.2

Database

Overview

Contents | 65

Insert your serial registration number.

This will redirect you to our Devolutions Server page to request a free 30 days trial.

Database tab

Settings

Database

Note that the User/Password or Integrated Security settings affect how the Devolutions Server Console communicates with the SQL database. These options do not have any impact on how users will authenticate on the Devolutions Server instance.

Option Description

© 2017 Devolutions inc.

66 | Devolutions Server

Server

User

Integrated security

Name of the server where the database will be stored.

Enter the username to access the database.

Specify to use Windows Integrated Authentication for authenticating to the database. In order for

integrated security to be used to

connect to the database, you must set a domain account as the

Application Pool identity in the IIS Manager.

Password

Test Server

Database

Create Database

Test Database

Update Database

Enter the password to access the database.

Test the connection with the server to validate if the proper information has been provided.

Name of the database on the server for the utilization of Remote

Desktop Manager.

If the database doesn’t already exist you can create one directly from here. In order to use integrated security correctly, the database must be created with db_owner rights.

Test the connection with the database to validate if the proper information has been provided.

Update the database on the server, if required to use Remote

Desktop Manager.

Use SSL to encrypt communication with the database.

Use SQL Server encrypted connection

Trust server certificate

Caching mode

Always trust the server certificate.

The caching mode will determine how the instance will re-load entries when changes are detected. On large data sources caching is a must and will increase performance significantly.

Failover partner The name of the failover partner server if database mirroring is configured. This is used only for the initial connection as the principal server will return a name which will replace the configured value when different.

Email Schema to Support Directly sends your schema to the Devolutions Support team.

View database version View what is your current database version.

5.5.3

Authentication

Overview

Select the type of authentication method used by your users to connect to the Devolutions Server. As best practice we would strongly recommend the use of Domain Authentication method as it can be integrated with Active Directory Group and makes it easier to manage.

© 2017 Devolutions inc.

Contents | 67

Authentication tab

Settings

Authentication Modes

Option

Authenticate with domain user

Authenticate with

Devolutions Server custom user

Authenticate with local machine user

Authenticate with database user

Description

The domain is used to authenticate the user.

The Devolutions Server is used to authenticate the user. You must create the initial user through the console.

The application allows a local user to be authenticated on the server.

The database is used to authenticate the user.

Windows Authentication

© 2017 Devolutions inc.

68 | Devolutions Server

Enable Windows

Authentication

The application will use the current Windows authenticated user to authenticate to the Devolutions Server instance.

5.5.4

Domain

Description

The domain is used to authenticate the user. This is the most secure, flexible and easiest to manage. No need to sync users between the domain and Devolutions Server. On first use of the Devolutions Server data source, the user will be created and be given access rights according to their role in the organization as defined on the domain. You simply need to grant appropriate permissions to your roles in Devolutions Server, upon authentication we will validate the AD groups to which the user belongs, and for any that have a corresponding role we will grant the permissions to the user.

Settings

Domain Authentication

Option Description

Domain tab

© 2017 Devolutions inc.

Contents | 69

Domain

Allow logins using email address

Specify the remote computer domain name.

Administration credentials Add the credentials of a domain administrator account to access the

Active Directory forest. This is needed when the server hosting the instance is not located on the domain.

Allow users to use their email address to connect to the Devolutions

Server instance. The email address field must be filled in the User

Management.

Use nested AD group Use the Active Directory group configured in the parent AD Group.

LDAPS

Option

Enable LDAPS

Default

Port

Automatic User Creation

Option Description

Auto create domain users in database

Automatically create the domain user in the the database.

Only from this AD group

Username Format

Will create automatically the user only if he is a member of this AD group.

Select the username format that will be created in the User

Management.

·

UPN : The user will be created using the UPN format ex: [email protected].

·

NetBios : The user will be created using the NetBios format ex:

WINDJAMMER\bill.

·

Username : The user will be created using the SAM account name.

Multi Domain

Description

Enable the LDAP over SSL communication.

LDAPS default communication port.

Set a specific port value.

The Multi Domain feature requires the Devolutions Server Platinum Edition license.

Currently, it is only working with trusted domains that belong to the same AD Forest.

Option

Multi domain

Trusted domains

Description

Enable the Multi domain feature

Add your trusted domains.

© 2017 Devolutions inc.

70 | Devolutions Server

5.5.5

2-Factor Authentication

Overview

This feature is only available when using a Devolutions Server Corporate license

The Two-factor authentication (2FA) provides unambiguous identification of users by means of the combination of two different components. These components may be something that the user knows or something that the user possess.

The use of two-factor authentication is used to prove one's identity is based on the premise that an unauthorized actor is unlikely to be able to supply both factors required for access. If, in an authentication attempt, at least one of the components is missing or supplied incorrectly, the user's identity is not established with sufficient certainty and then access to the asset being protected by twofactor authentication will remain blocked.

Two-Factor Authentication tab

© 2017 Devolutions inc.

Contents | 71

2FA supported by Devolutions Server

·

Google Authenticator

·

Yubikey

·

SafeNet

·

Duo

·

AuthAnvil

·

Email

·

SMS

·

Vasco

·

Azure MFA

·

Radius

For more information on how to configure the 2FA on the Devolutions Server, please follow this

link .

5.5.5.1

Google Authenticator

Description

Devolutions Server supports Google Authenticator to provide an additional security layer when opening a selected data source.

Settings

Before you start the configuration, make sure you have installed the Google

Authenticator application on your Android device, Blackberry or on your Apple product

(iPhone, iPad or iPod Touch).

See Google Authenticator for more information on the settings.

5.5.5.2

Yubikey

Description

Devolutions Server allows you to configure Yubikey to provide an additional security layer when opening a selected data source.

Settings

Before you start the configuration, make sure you have a Yubikey in your possession.

See Yubikey for more information on the settings.

5.5.5.3

SafeNet

Description

The 2FA Email setting is only available for the Devolutions Server. It allows to configure SafeNet to provide an additional security layer when opening a selected data source.

© 2017 Devolutions inc.

72 | Devolutions Server

Settings

Before you start the configuration, make sure you have a SafeNet device (eToken, iKey or Smart Card) in your possession.

Please consult our Online Help on

SafeNet settings .

Please consult the SafeNet website for more information about it.

5.5.5.4

Duo

Description

Devolutions Server allows you to configure Duo to provide an additional security layer when opening a data source.

Settings

Before you start the configuration, make sure you have created and configured your

Duo account. For more information about Duo authentication, please consult Duo web page.

See Duo for more information on the settings.

5.5.5.5

AuthAnvil

Description

Devolutions Server allows you to use AuthAnvil Authenticator to provide an additional security layer when opening a selected data source.

Settings

Before you start the configuration in Devolutions Server, make sure you have created and configured your AuthAnvil account. For more information on AuthAnvil installation please consult http://www.scorpionsoft.com/tour/intro .

See AuthAnvil for more information on the settings.

5.5.5.6

Email

Overview

The 2FA Email setting is only available for the Devolutions Server. It will request the user's email account as its second component to access the data source.

If you have selected the option Required in the 2FA usage option every user will automatically have a

2FA request when logging in, it will not be necessary to edit each and every one of your users as long as they have an email address set in their User setting.

If you select the option Optional per User in the 2FA usage option you will have to proceed to a set up for each user you wish to use the 2FA.

© 2017 Devolutions inc.

Contents | 73

For this option to be valid you will have to configure the Server and the User.

See

2FA Email for more information on the settings.

5.5.5.7

SMS

Overview

The 2FA SMS setting is only available for the Devolutions Server. It will request the user to enter a code he has received on his mobile phone as its second component to access the data source.

If you have selected the option Required in the 2FA usage option every user will automatically have a

2FA request when logging in, it will not be necessary to edit each and every one of your users as long as they have an mobile phone number set in their User setting.

If you select the option Optional per User in the 2FA usage option you will have to proceed to a set up for each user you wish to use the 2FA.

For this option to be valid you will have to configure the Server and the User.

There are two possible configurations with 2FA SMS.

·

2FA SMS Free

·

2FA SMS Twilio

5.5.5.8

Azure MFA

Overview

The 2FA Azure MFA setting is only available for the Devolutions Server. It will request the user to reply a code he has received on his mobile phone or by answering a phone call from Azure.

The Azure Multi-Factor Authentication (included in Azure AD Premium and

Enterprise Mobility Suite) is required in order to be able to download the SDK file needed for the Devolutions Server configuration.

For more information Azure Multi-Factor Authentication, please consult this web site https://azure.microsoft.com/en-us/documentation/articles/multi-factor-authentication/ .

For more information on how to configure the Azure MFA, please consult the

Azure MFA settings

topic.

5.5.5.9

Radius

Description

Devolutions Server supports Radius authentication to provide an additional security layer when opening a selected data source.

Settings

© 2017 Devolutions inc.

74 | Devolutions Server

Before you start the configuration, make sure you have a properly configured

Radius server available in your organization.

5.5.5.10 Vasco

Description

Devolutions Server supports Vasco authentication to provide an additional security layer when opening a selected data source.Vasco’s two-factor authentication ensures only authenticated users gain access.

Before you start the configuration process in Devolutions Server, make sure you have created and configured your Vasco account. For more information on Vasco installation please consult https://www.vasco.com/two-factor-authentication.html

.

See

Vasco

for more information on the settings.

5.5.6

Security

Overview

The Security tab is used for added security by controlling access to the Devolutions Server with IPs addresses.

© 2017 Devolutions inc.

Contents | 75

Security tab

Settings

IP

Option

Allowed Single IPs

Allowed Masked IPs

Denied Single IPs

Denied Masked IPs

© 2017 Devolutions inc.

Description

If you wish to restrain the access to the Devolutions Server to only certain IPs address enter those here. If nothing is entered in this field all IPs address will be allowed to connect to the Devolutions

Server.

If you wish to restrain the access to only certain Masked IPs

(dividing the host part of an IP address into a subnet and host address) on the Devolutions Server, enter those Masked IP address here.

If you wish to deny access to the server from certain IPs address enter those in this field.

If you wish to deny access to the server from certain Masked IPs address (dividing the host part of an IP address into a subnet and

76 | Devolutions Server host address) enter those in this field.

Auto Lock

Option

Enabled auto lock

Attempt Count

Description

Automatically locks down the access to the Server after a predetermine number of failed attempt.

Enter the number of failed attempts before locking down the Server.

5.5.7

GeoIP Security

Overview

The GeoIP refers to the method of locating a computer terminal's geographic location by identifying that terminal's IP address.

Settings

GeoIP Security tab

© 2017 Devolutions inc.

Contents | 77

Option

GeoIP Mode

Description

Choose your method of GeoIP between:

None: Will not be using GeoIP security

Free GeoIP: Use the GeoLite database to look up the city, AS number and other information for an IP address and then select the countries you wish to grant access to your Devolutions Server.

MaxMind: Use the MaxMind's GeoIP database to look up the city,

AS number and other information for an IP address. Connect to your account by entering your User ID and License Key in the appropriate field and then select the countries you wish to grant access to your Devolutions Server.

5.5.8

IIS

Overview

The IIS settings are part of your prerequisite at the installation level. Most of what is found in this tab is automatically filled in by the information given while setting up your Devolutions Server, the IIS Settings tab is used more as informative than configuring.

© 2017 Devolutions inc.

78 | Devolutions Server

IIS tab

Settings

Option

Force https

Encrypt web.config file

Description

Force the use of the https instead of the http.

Activate this option if you wish to add an extra layer of security to your configuration by encrypting your file.

5.5.9

Email

Overview

Emails are sent by our Notification engine and by some of our 2 factor authentication providers.

© 2017 Devolutions inc.

Contents | 79

Email tab

Settings

General

Option

Email enabled

Description

It is mandatory to enable this option to send notifications or for some 2FA providers.

SMTP Configuration

Option

Host

Port

Enable SSL

Description

Enter the host for the SMTP server.

Set the SMTP server port.

Specifies whether to use Secure Sockets Layer (SSL) to encrypt the connection. Please see

Note 1

for important information.

© 2017 Devolutions inc.

80 | Devolutions Server

Username

Password

Enter your username to connect to your SMTP server.

Enter your password to connect to your SMTP server.

Send email as Enter the display name.

Email administrator Logs and errors will be sent to the email address entered in this field.

Test Email Test your email settings.

Note 1

Devolutions Server only supports the SMTP Service Extension for Secure SMTP over Transport

Layer Security as defined in RFC 3207. In this mode, the SMTP session begins on an unencrypted channel, then a STARTTLS command is issued by the client to the server to switch to secure communication using SSL.

An alternate connection method is where an SSL session is established up front before any protocol commands are sent. This connection method is sometimes called SMTP/SSL, SMTP over SSL, or

SMTPS and by default uses port 465. This alternate connection method using SSL is not currently

supported.

5.5.10 User Interface

Overview

The User Interface tab enables the user to customize the interface according to the preference of the user. The three facets of the User Interface tab consists of Logo, Grid page size, and Date and time format. The settings table below lists all possible options that can be tailored to the user's specifications.

Settings

© 2017 Devolutions inc.

User Interface tab

Option

Logo

Description

- None

- URL

- File

Grid page size

- 10

- 20

- 50

Date and time format - Default

- US

- Custom

Date

Year

Month

Date/Time Format

- yyyy = 2016

- yy = 16

- MMMM = September

- MMM = Sep

© 2017 Devolutions inc.

Contents | 81

82 | Devolutions Server

Day

- MM = 09

- M = 9

- dddd = Sunday

- ddd = Sun

- dd = 09

- d = 9 (If applicable, 25 can not be 5).

Time

Hours

Minutes

Seconds

TimeZone

Date/Time Format

- h = 1

- hh = 01

- H = 1 (If applicable, 11 can not be 1).

- HH = 13

- mm = 05

- m = 5 (If applicable, 25 can not be 5).

- ss = 08

- s = 8 (If applicable, 25 can not be 5).

- tt = PM or AM

- zzz or zz or z = EDT

5.5.11 Logging

Overview

Devolutions Server already manages log, however if using a Syslog Server you might also wish to connect your Devolutions Server logs to it to centralize all your logs in one place and on a web interface.

© 2017 Devolutions inc.

Logging tab

Settings

General

Option

Log debug information

Description

Enable the Devolutions Server instance logs.

Syslog Server

Option Description

Log to Syslog server Enable the Syslog Server.

Host

Port

Protocol

Enter your Syslog Server host to connect.

Enter your Syslog Server port to connect.

Select your preferred Protocol mode between:

© 2017 Devolutions inc.

Contents | 83

84 | Devolutions Server

·

TCP

·

UDP

5.5.12 Features

Description

These are the different features available in Devolutions Server.

Features tab

Settings

Features

Option

Allow edit entries from the web

Description

Allow to edit the properties of any entry type on the web interface.

© 2017 Devolutions inc.

Contents | 85

Allow browser extensions

Devolutions Proxy

Allow Web API help page

Allow to save credentials in the Devolutions Server instance with

Devolutions Web Login.

Enable the Devolutions Proxy feature.

5.5.13 Scheduler

Overview

The Scheduler is used to enable automated tasks in Devolutions Server. Some further configurations are needed to be done before enabling these options. Consult

How to Configure Scheduler in

Devolutions Server for more information.

Settings

Notification

© 2017 Devolutions inc.

Scheduler tab

86 | Devolutions Server

The Notifications settings is used to send email notifications to specific users. These notifications include any activities on sessions, security groups, roles, users, etc.

The Email

settings must be configured in the Devolutions Server instance in order for notifications to be sent.

Categorie

Allow notification subscription

Time Zone

Backup

Categorie

Enable backup

Description

Enable the notifications of the Devolutions Server instance.

Time zone used to display the time stamp in the notification email.

Description

Enable the backup of the Devolutions Server instance.

5.5.14 Advanced

Description

The Advanced tab permits to modify advanced settings in the Devolutions Server configuration.

© 2017 Devolutions inc.

Contents | 87

Advanced tab

Settings

Features

Categorie Description

Token Valid Time (minutes) This the duration time of the token. At the expiration of the token, the user must again authenticate himself on the Devolutions Server instance.

© 2017 Devolutions inc.

Web Interface

Part VI

6

90 | Devolutions Server

Web Interface

Description

Because of documented vulnerabilities of web browsers, particularly their extensions, we do not perform any password decryption in a web browser. The web interface is feature-limited purposefully and you must use the client to perform any modification to entries.

Login page

Open a browser to the URL that you have chosen for your Devolutions Server instance. If you have followed the default settings for a first installation, it should normally be available at http://localhost/dvls .

Configuration

Login page

© 2017 Devolutions inc.

Contents | 91

Configuration

6.1

Home

Description

The Home is the place where you can view and edit the information about your user account.

Home page

Edit your Account

The Edit your Account button allows to change your account information like First name, Last name,

Address, Phone number, etc.

© 2017 Devolutions inc.

92 | Devolutions Server

Edit your Account dialog

Change Gravatar

The Change Gravatar button allows to set your email address to point to your Gravatar image.

© 2017 Devolutions inc.

Contents | 93

Change Gravatar dialog

Change Password

The Change Password button allows to change your password. This tool only works with Devolutions

Custom accounts. This will not work with other account types like domain and database. You can use the Generate Password tool that will automatically generate a password and fill in the New password field. You will have to copy and paste it in the Confirm Password field.

Change Password dialog

The Password Generator tool will open the dialog to help you choose the rules to generate a list of passwords.

© 2017 Devolutions inc.

94 | Devolutions Server

Password Generator dialog

Links

The Visit our Forum and Online Help buttons will open the forum or the online help in another browser tab.

Downloads

The Downloads tab will provide all links to download Remote Desktop Manager and Password Vault

Manager for each supported platforms. It also provides the download links of the Devolutions Web Login add-on for every supported browsers.

© 2017 Devolutions inc.

6.2

Con n ection s

Description

© 2017 Devolutions inc.

Contents | 95

96 | Devolutions Server

6.3

Admin istration

Description

Modify Users

Connections page

Modify Security Groups

Users management

© 2017 Devolutions inc.

Modify Roles

Security Groups management

Users Locked

Role management

© 2017 Devolutions inc.

Contents | 97

98 | Devolutions Server

Users 2FA Status

Users Locked

6.4

Reports

Description

Reports

Connected users

Users 2FA Status

© 2017 Devolutions inc.

Login attempts

Reports - Connected User List

Login history

Reports - Login Attempt

Reports - Login History

© 2017 Devolutions inc.

Contents | 99

100 | Devolutions Server

6.5

Tools

Description

TBD

© 2017 Devolutions inc.

How-To

Part VII

102 | Devolutions Server

7 How-To

7.1

How to Con figu re Clien t Data Sou rce

Create Devolutions Server data source

1. Select File - Data Sources.

File - Data Sources

2. New Data Source.

Data Source configuration dialog

3. Select the Devolutions Server data source.

© 2017 Devolutions inc.

Contents | 103

Add New Data Source dialog

4. Specify settings.

If you specify %USERDOMAIN%\%USERNAME% in the user text area, the value of the corresponding environment variables will be used.

© 2017 Devolutions inc.

104 | Devolutions Server

Data Source configuration

Notes

If the server is configured to only allow SSL, ensure you specify the protocol by using https:// as the protocol.

7.2

How to Con figu re Devolu tion s Server to u se in tegrated secu rity

Description

In order for integrated security to be used to connect to the database, you must set the Application pool to use a domain account to run under.

Steps

To make these instructions simpler, we will name the domain account RDMRunner, please adapt to your requirements.

·

Create the RDMRunner account in the domain;

·

Grant access to the

SQL Server instance to RDMRunner;

·

Grant access to the database to RDMRunner;

·

In IIS Manager, expand the Application pool section and locate the application pool used by your

Devolutions Server site. By default it has the same name as the name of the web application;

·

In the advanced settings, edit the Identity setting to set the RDMRunner account.

© 2017 Devolutions inc.

Contents | 105

Application pool Identity

7.2.1

How to Grant access to SQL Server instance

Description

In order to use Integrated Security you will need to grant access and specific permissions to the domain account used to connect to the SQL Server Instance.

Steps

To make these instructions simpler, we will name the domain account RDMRunner, please adapt to your requirements.

1. Using Microsoft SQL Server Management Studio, right-click on the Security branch and select New -

Login.

© 2017 Devolutions inc.

106 | Devolutions Server

2. In the dialog, click on Search.

MSSQL

© 2017 Devolutions inc.

Contents | 107

Login - New

3. Change the location to your domain and then select the RDMRunner user account.

© 2017 Devolutions inc.

Select User or Group

108 | Devolutions Server

4. In the User Mapping Section, find your database and check the Map checkbox.

User Mapping

5. In the Database role membership, grant the db_datareader role and then click OK to save the login.

© 2017 Devolutions inc.

Contents | 109

Database role membership

Permissions

The permissions described below allow for ALL management operations to be performed through the

Devolutions Server instance.

Some may desire to harden the system. Hardening the system means to disallow certain operations from the Devolutions Server instance, which would make using a SQL Server data source, bound to

the same database, necessary for these operations. For instance you could decide to not allow to create users through the instance, but only through a direct SQL connection. Please contact us to discuss these scenarios.

At the Database level you will need to grant these permissions:

GRANT INSERT, DELETE, UPDATE ON Attachment TO [DOWNHILL\RDMRunner];

GRANT INSERT, DELETE, UPDATE ON BackupJob TO [DOWNHILL\RDMRunner];

GRANT INSERT, DELETE, UPDATE ON BackupLog TO [DOWNHILL\RDMRunner];

GRANT INSERT, DELETE, UPDATE ON ConnectionHistory TO [DOWNHILL\RDMRunner];

GRANT INSERT, DELETE, UPDATE ON ConnectionLog TO [DOWNHILL\RDMRunner];

© 2017 Devolutions inc.

Please note that these instructions were valid for version 315 of the database schema.

If you run into issues and the schema is of a higher version please contact us.

To identify the current schema version, run

SELECT [DatabaseVersion] FROM

[DatabaseInfo]

110 | Devolutions Server

GRANT INSERT, DELETE, UPDATE ON Connections TO [DOWNHILL\RDMRunner];

GRANT INSERT, DELETE, UPDATE ON DatabaseInfo TO [DOWNHILL\RDMRunner];

GRANT INSERT, DELETE, UPDATE ON DataSourceSettingHistory TO [DOWNHILL\RDMRunner];

GRANT INSERT, DELETE, UPDATE ON GroupInfo TO [DOWNHILL\RDMRunner];

GRANT INSERT, DELETE, UPDATE ON GroupInfoHistory TO [DOWNHILL\RDMRunner];

GRANT INSERT, DELETE, UPDATE ON LoginAttempt TO [DOWNHILL\RDMRunner];

GRANT INSERT, DELETE, UPDATE ON LoginHistory TO [DOWNHILL\RDMRunner];

GRANT INSERT, DELETE, UPDATE ON LogMessage TO [DOWNHILL\RDMRunner];

GRANT INSERT, DELETE, UPDATE ON Repository TO [DOWNHILL\RDMRunner];

GRANT INSERT, DELETE, UPDATE ON RepositoryHistory TO [DOWNHILL\RDMRunner];

GRANT INSERT, DELETE, UPDATE ON Subscription TO [DOWNHILL\RDMRunner];

GRANT INSERT, DELETE, UPDATE ON SubscriptionEvent TO [DOWNHILL\RDMRunner];

GRANT INSERT, DELETE, UPDATE ON Todo TO [DOWNHILL\RDMRunner];

GRANT INSERT, DELETE, UPDATE ON TodoUsers TO [DOWNHILL\RDMRunner];

GRANT INSERT, DELETE, UPDATE ON UserAccount TO [DOWNHILL\RDMRunner];

GRANT INSERT, DELETE, UPDATE ON UserGroupInfo TO [DOWNHILL\RDMRunner];

GRANT INSERT, DELETE, UPDATE ON UserInfo TO [DOWNHILL\RDMRunner];

GRANT INSERT, DELETE, UPDATE ON UserInfoHistory TO [DOWNHILL\RDMRunner];

GRANT INSERT, DELETE, UPDATE ON UserProfile TO [DOWNHILL\RDMRunner];

GRANT INSERT, DELETE, UPDATE ON UserRole TO [DOWNHILL\RDMRunner];

GRANT INSERT, DELETE, UPDATE ON UserSecurity TO [DOWNHILL\RDMRunner];

7.3

How to Con figu re SSL

Description

Please perform these steps only after you have configured the Devolutions Server instance and that you have indeed connected through a client application. Performing these steps right from the start may add a layer of complexity that may prevent you from succeeding in the initial configuration.

Import Certificate or Create Self-Signed Certificate

1. Select the server node in the tree view and double-click the Server Certificates feature in the list view:

© 2017 Devolutions inc.

Contents | 111

Server certificates

2. Click Import Certificate... in the Actions pane Or Click Create Self-Signed Certificate... in the Actions pane.

Create a SSL Binding

1. Select the web site in the tree view.

Follow the wizard

© 2017 Devolutions inc.

112 | Devolutions Server

IIS Tree view

2. Click Bindings... in the Actions pane. This brings up the bindings editor that lets you create, edit, and delete bindings for your Web site. Click Add... to add your new SSL binding to the site.

Add binding

3. Select https in the Type drop-down list. Select the self-signed certificate you created in the previous section from the SSL Certificate drop-down list and then click OK.

Define https binding

4. Now you have a new SSL binding on your site.

© 2017 Devolutions inc.

Contents | 113

The new binding

Configure SSL Settings in IIS

1. Select a Devolutions Server application in the tree view.

IIS Tree view

2. Click on SSL Settings

Web site icons

3. Configure SSL settings if you want your site to require SSL, or to interact in a specific way with client certificates. Click the site node in the tree view to go back to the site's home page. Doubleclick the SSL Settings feature in the middle pane. Select Require SSL and click Apply.

© 2017 Devolutions inc.

114 | Devolutions Server

SSL Settings

Modify the Devolutions Server configuration

1. Start any text editor (notepad) using right click Run as Administrator

2. Open the file "web.config" found in the Devolutions Server install directory

3. locate this line in the file

<add key="ForceHttps" value="false" />

4. Modify value from false to true

5. Save the file

Configure SSL Settings in the Client applications

1. Edit the Devolutions Server data source

2. Change the server URL to use the https:// protocol

7.4

How to u pdate you r registration serial after a ren ew al

Description

Devolutions Server is licensed as a yearly subscription which must be kept current. With the renewal, a new license key is provided and needs to be entered in your instance configuration.

Your data is always available even if the subscription is expired. You simply need to connect directly to that database by using a SQL Server data source.

Settings

Remote Desktop Manager Enterprise - Windows Edition must be started with elevated privileges in order to use the Devolutions Server Console.

Click on Tools -> Devolutions Server Console menu and edit your Devolutions Server instance.

© 2017 Devolutions inc.

Contents | 115

Devolutions Server Console

Replace the existing license key by the new one that you have received by email in the General -

Registration section.

© 2017 Devolutions inc.

Server Settings General tab

116 | Devolutions Server

7.5

How to Con figu re Tw o-factor Au th en tication (2FA)

Steps

This feature is only available when using a Devolutions Server Corporate license

· In the Server Settings, select the Two-Factor tab

General

Option

2FA usage

Send reset email to

Two-Factor tab

Description

None: Will not be using the two factor authentication

Optional: Only users with 2FA configured in their profile will be prompted with a 2FA validation.

Required: Every users will need 2FA to connect to the Devolutions

Server instance.

Administrator: Sends reset email to all users that have the

Administrator check-box checked. Note that this does NOT include those that get the privilege through belonging to a role. If using AD integration exclusively, this is not a recommended value.

© 2017 Devolutions inc.

Contents | 117

Specific email

Specific email: Sends reset email to the email address specified in the Specific email control. Note that the control appears only when

Specific email value is selected.

Email address which will receive reset emails.

2FA supported

Each of our client applications will support one or multiple 2FA providers.

Default

Option

Default

Description

The Default option will only be activated when selecting Required in the 2FA usage option. If choosing more than one 2FA mode, you will then be able to select the Default 2FA method for your users.

Configure Users

If Optional is set in Two-factor usage, the users for which you require 2FA must be configured.

1. On the Devolutions Server console, click on the Users icon to configure the users that should use the

2FA if the option Optional per User is set.

Devolutions Server Console

2. Select the user and click on the Edit User button.

© 2017 Devolutions inc.

118 | Devolutions Server

User and Security Management dialog

3. In General - Two factor click on Configure.

© 2017 Devolutions inc.

User management dialog

4. In the Two factor Configuration window click on Change.

© 2017 Devolutions inc.

2-Factor Configuration dialog

Contents | 119

120 | Devolutions Server

5. In the drop down menu select the two factor configuration (we have chosen Google Authenticator for this example) and click on Save.

2-Factor Configuration dialog

6. You can select Configure later by user or configured it immediately with your user.

© 2017 Devolutions inc.

Contents | 121

Google Authenticator Setup dialog

Email

If

Email

or SMS Free is chosen as one of the Two Factor Supported providers, the SMTP server must

be configured for the instance, and the user email address or mobile phone number must be provided in the user properties.

See the

Server settings - Email for more information.

© 2017 Devolutions inc.

122 | Devolutions Server

2FA SMS and 2FA EMail warning message

7.5.1

Email settings

Settings

1. In the Email tab, configure your

SMTP Server .

© 2017 Devolutions inc.

Email settings

2. On the Two-Factor tab, select Email as your 2FA mode.

© 2017 Devolutions inc.

Contents | 123

124 | Devolutions Server

Two-Factor settings

3. Once the SMTP server is configured click on Save. A window will pop up warning you to configure your User.

2FA Email warning message

4. In the Devolutions Server Console click on Users to configure the email account for each 2FA users.

© 2017 Devolutions inc.

Contents | 125

Devolutions Server Console

5. Select the User to Edit and in the General tab enter the user's email address. If you have selected

Required in the 2FA Usage you have completed all the steps as they will have to set up their own account when logging in for the first time. If you have selected Optional per User click on Configure to activate the 2FA for those users and continue with the following steps.

User Management dialog

6. Click on Change to choose the 2FA method.

© 2017 Devolutions inc.

126 | Devolutions Server

2-Factor Configuration dialog

7. Select the Email 2FA mode, if you have selected more than one option when setting up the 2FA all the selected options will appear in the drop down menu. Once you have selected the 2FA type, click on

Save.

8. The Email setup window will appear, select the option Configure later by user. Every time the User connects to the data source he will be prompted with the Validation email window, the user can then click on Send email validation code and an email containing the validation code will be sent. If after a few minutes you still haven't received the validation code please verify the SMTP settings as if one of the

SMTP settings isn't correctly set up the email will never be sent and there will not be any error message.

When receiving the validation code, enter it in the appropriate field and click on Save. Your user is now set up and ready to access the Devolutions Server data source.

© 2017 Devolutions inc.

Contents | 127

Email Setup dialog

7.5.2

SMS settings

Description

There are two possible configurations with 2FA SMS.

·

2FA SMS Free

·

2FA SMS Twilio

7.5.2.1

SMS Free

Description

This 2FA SMS configuration use the free method to send SMS from a computer through an e-mail address composed by the mobile phone number and the domain of the Cellular carrier (e.g.:

[email protected]) . Please take note that not all Cellular carrier provide this type of SMS sendind method.

Settings

1. In the Email tab, configure your

SMTP Server

.

© 2017 Devolutions inc.

128 | Devolutions Server

Email settings

2. In the Two-Factor tab, select SMS as your 2FA mode.

© 2017 Devolutions inc.

Contents | 129

Server Settings

3. After clicking on the Save button, it will display a message to fill in the mobile number of each user and to configure the Devolutions Server instance with the Service type set to Web API.

Configuration advice

4. On the Devolutions Server console, click on the Users icon to configure the users that should use the

2FA if the option Optional per User is set.

© 2017 Devolutions inc.

130 | Devolutions Server

Devolutions Server console

5. Fill in the Mobile phone number in the Information tab of the User management window.

User Management - Information tab

6. The SMS 2FA can be configured directly through the User Management window. Click on Configure on the General tab.

© 2017 Devolutions inc.

User management - General tab

7. Click on Change to set the 2FA Type.

2FA Configuration

8. After setting the 2FA Type to SMS, click on Save.

© 2017 Devolutions inc.

Contents | 131

132 | Devolutions Server

2FA Configuration

9. Check the Configure later by the user check box to let the user authenticate his connection to the

Datasource.

SMS setup

10. On the first connection to the Datasource, choose the Cellular carrier of the mobile phone and click on Send sms validation code.

© 2017 Devolutions inc.

Contents | 133

SMS user authentication

11. A message box inform that the SMS code has been sent.

SMS sent

12. Enter, in the proper field, the SMS Validation code and click on the Save button to complete the authentication.

© 2017 Devolutions inc.

134 | Devolutions Server

Fill in the Validation code

13. For all of subsequent connection to the Datasource, the SMS Validation code will be sent automatically and the user will have to fill in the Validation code field and click on the Connect button. If the Validation code was not received, click on Resend validation code.

Fill in the Validation code

© 2017 Devolutions inc.

Contents | 135

7.5.2.2

SMS Twilio

Description

The SMS Twilio use the Twilio SMS platform to send SMS to the mobile phone. The configuration needs a working Twilio SMS account .

Settings

1. Select SMS as your 2FA mode and click on Configure.

Server settings - 2FA configuration

2. Fill in the information for the Twilio account and click the Check button to validate it. A Success message box appear if all parameters match with the Twilio account settings.

© 2017 Devolutions inc.

136 | Devolutions Server

Twilio settings

Succes message

3. After clicking on the Save button of the Server settings window, it will display a message to fill in the mobile number of each user and to configure the Devolutions Server instance with the Service type set to Web API.

Configuration advice

4. On the Devolutions Server console, click on the Users icon to configure the users that should use the

2FA if the option Optional per User is set.

© 2017 Devolutions inc.

Contents | 137

Devolutions Server console

5. Fill in the Mobile phone number in the Information tab of the User management window.

User Management - Information tab

6. The SMS 2FA can be configured directly through the User Management window. Click on Configure on the General tab.

© 2017 Devolutions inc.

138 | Devolutions Server

User management - General tab

7. Click on Change to set the 2FA Type.

2FA Configuration

8. After setting the 2FA Type to SMS, click on Save.

© 2017 Devolutions inc.

Contents | 139

2FA Configuration

9. Check the Configure later by the user check box to let the user authenticate his connection to the

Datasource.

10. On connecting to the Datasource, it will ask for the Validation code sent to the mobile phone. Click the Connect button to connect to the Datasource.

© 2017 Devolutions inc.

140 | Devolutions Server

SMS Twilio validation code

11.

7.5.3

SafeNet settings

Prerequisite

1. The complete SAS-SDK provided by SafeNet.

2. Hostname provided by SafeNet.

3. The Key file related to the SafeNet Authentication Service Manager account provided by SafeNet.

Settings

1. Install the BlackShield ID .Net Authentication API on the hosting machine of Devolutions Server.

Depending on the hosting server, it can be the x86 or the x64 version.

BlackShield ID .Net Authentication API

2. When this installer ask for the hostname or IP Address of your BlackShield ID Authentication

Server, please fill in the information provided by SafeNet for this hostname and check the Connect

using SSL option.

© 2017 Devolutions inc.

Contents | 141

BlackShield ID Authentication Server Address

3. Copy the Key file in the BlackShield installation folder of the hosting computer of Devolutions Server.

In this case, it is the C:\Program Files\CRYPTOCard\BlackShield ID\API\KeyFile folder.

Key file folder

4. Connect to the SafeNet Authentication Service Manager .

© 2017 Devolutions inc.

142 | Devolutions Server

SafeNet Authentication Service Manager

5. Create each user from DVLS in the SafeNet Authentication Service Manager. It is very important that the user names in DVLS and SafeNet must be identical.

Creating user - SafeNet

© 2017 Devolutions inc.

Contents | 143

6. Next, click on the Provision button.

User Detail - SafeNet

7. Select the authentication type and click on the Provision button. In this example, we choose the

MobilePASS authentication type.

Select Authentication Type - SafeNet

8. An email is sent to the user and a task have been added to the list of the Provisioning Tasks.

Provisioning Tasks - SafeNet

9. When the email is received by the user, he has to click on the link to start the token enrollment.

© 2017 Devolutions inc.

144 | Devolutions Server

SafeNet self-enrollment email

10. In this example, if the MobilePASS application is not installed on the device or the computer, please install it by clicking on the download link. After it is correctly installed, click on the Enroll your

MobilePASS token link.

© 2017 Devolutions inc.

Contents | 145

SafeNet Self Enrollment

11. Then, accept the token in the MobilePASS application by clicking on the Activate button. Follow the instructions to activate the SafeNet token.

© 2017 Devolutions inc.

146 | Devolutions Server

12. On the Devolutions Server console, select and edit the instance. Then go on the Two-Factor tab and check the SafeNet checkbox and click on the Save button.

© 2017 Devolutions inc.

Contents | 147

Two-Factor tab

13. On the Devolutions Server console, click on the User Management dialog, edit each user that will use the SafeNet two factor authentication.

© 2017 Devolutions inc.

148 | Devolutions Server

User Management

14. Change the Two Factor type for SafeNet and click on Save.

Two Factor Configuration dialog

15. Enter the Validation code from the MobilePASS application and click on the Save button.

© 2017 Devolutions inc.

Contents | 149

SafeNet Setup

7.5.4

Azure MFA settings

Prerequisite

1. The Azure MFA SDK zip file which contains the client certificate and the private key. For more information, please consult this link https://azure.microsoft.com/en-us/documentation/articles/multifactor-authentication-sdk/#download-the-azure-multi-factor-authentication-sdk .

Settings

1. On the Devolutions Server console, in the Two-Factor tab, check the Azure MFA option and click on

Configure.

© 2017 Devolutions inc.

150 | Devolutions Server

Two-Factor tab

2. Click on the Read Azure MFA SDK zip file to select the file.

© 2017 Devolutions inc.

Azure MFA Settings dialog

3. Please select the file previously downloaded from the Azure Portal.

Select the Azure MFA SDK file

4. When the file is correctly read, it will show a Success dialog.

© 2017 Devolutions inc.

Contents | 151

152 | Devolutions Server

Azure MFA SDK zip file success

5. Each field are now filled with the information from the Azure MFA SDK file. The IP Address field is used to allow a range of addresses and the Host name field is for a given name chosen by the administrator.

Azure MFA Settings dialog

6. In the User Management, select and edit a user. Then click on Configure in the Two factor section.

© 2017 Devolutions inc.

User Management dialog

7. Change the Two Factor Type for AzureMFA and click on Save.

© 2017 Devolutions inc.

2-Factor Configuration

Contents | 153

154 | Devolutions Server

8. Fill in the phone number and set the communication method to SMS or Phone call. Then, click on the

Save button.

Azure MFA Setup

9. When the user will connect to the Devolutions Server, he will received either a phone call, the user will have to answer and then press on the pound key (#), or a SMS and will be asked to reply a code to this SMS.

7.5.5

Radius settings

Prerequisite

1. A Radius server must be available in the organization.

2. All parameters for this configuration must be already configured on the Radius server.

Settings

1. On the Server Settings dialog from the Devolutions Server console, on the Two-Factor tab, check the

Radius and click on Configure.

© 2017 Devolutions inc.

Contents | 155

Two-Factor tab

2. Fill in the appropriate information provided by the administrator of the Radius server in each fields of the Radius Settings dialog.

© 2017 Devolutions inc.

156 | Devolutions Server

Radius Settings dialog

3. Next, click on the Test button in the Radius Settings dialog and provide the Username and the

Passcode. Then click on the Check button to validate the information.

Radius Settings dialog - Username

4. It is possible to configure a Failover partner for the primary Radius server. Select the Failover tab in the Radius Settings dialog. Check the Enable failover RADIUS server and fill in the information.

© 2017 Devolutions inc.

Contents | 157

Radius Settings dialog - Failover

5. In the User Management, select and edit a user. Then click on Configure in the Two factor section.

© 2017 Devolutions inc.

158 | Devolutions Server

User Management dialog

6. Select the Radius 2FA in the Type list and click on Save.

© 2017 Devolutions inc.

Contents | 159

7.5.6

Vasco settings

Prerequisite

A configured Vasco account. For more information on Vasco installation please consult https://www.vasco.com/two-factor-authentication.html

.

Settings

1. Select Vasco from the list of available 2-Factor Authentication types.

2-Factor Authentication - Vasco

2. Configure your Vasco settings. An example is provided below.

Option

Vasco soap Settings - Configuration Screen

Description

© 2017 Devolutions inc.

160 | Devolutions Server

Url

Component

Type

Password

Format

Website of the server.

The instance name created in Vasco.

One-Time Password (OTP): One-time passwords can only be used once, during a very short time e.g. 10 seconds. They offer superior security to static passwords which are more vulnerable to unauthorized use because they remain the same.

Static Password: Most conventional method of password authentication. It is also the least secure method of preserving your password. Your password essentially remains the same from the moment it is created, until it is changed or updated for that specific account.

7.6

How to Con figu re Secu rity Grou ps an d Roles w ith AD In tegration

Description

These steps provide information on how to implement user security on Devolutions Server through

Security Groups and Roles with Active Directory integration. For more information, please follow this link on our Online Help about Security Best Practices .

The Security Group security system will be deprecated in a future version of Remote

Desktop Manager. We recommend to use the new Role Based Security System .

Steps

Create Security Groups

1. Open the Security Groups Management from the Devolutions Server Console.

Devolutions Server Console

2. Add a Security Group by clicking on the Add Security Group button.

© 2017 Devolutions inc.

Contents | 161

User and Security Management dialog

3. Add a Name and a Description for this new Security Group and click on the OK button.

Security Management dialog

4. On the Security Group Rights dialog, don't change anything and click on the Save button. The permissions on the new security group will be set at the role level.

© 2017 Devolutions inc.

162 | Devolutions Server

Security Group Rights dialog

5. Set the Security group in the Permission tab of the Group Folder properties and click on the OK button.

© 2017 Devolutions inc.

6. Please consult our Online Help on how to Identify Security Groups .

Create Roles from the Active Directory Groups

7. Open the Roles Management dialog from the Devolutions Server Console.

8. Add a new Role.

Devolutions Server Console

© 2017 Devolutions inc.

Contents | 163

164 | Devolutions Server

User and Security Management dialog

9. On the Role Management dialog, click on the ellipsis button on the right of the Name field to select the Active Directory Group.

Role Management dialog

10. Select the Active Directory Group and click on the OK button.

© 2017 Devolutions inc.

Contents | 165

Select Group dialog

11. On the Privileges tab of the Role Management dialog, you can enabled one or all options to grant privileges to role members. Consult this online help page for more information about Role

Management .

© 2017 Devolutions inc.

166 | Devolutions Server

Privileges tab - Role Management dialog

12. On the Permissions tab of the Role Management Dialog, assign correct permissions on each

Security Group.

© 2017 Devolutions inc.

Contents | 167

Permissions tab - Role Management dialog

Evolution of the creation of Security Groups and Roles on the Tree View

1. Tree View before creating Security Groups and assigning them to Group Folder for a user without

administrator rights.

Sessions without Security Groups

2. Tree View after Security Groups are assigned to Group Folders and before creating Roles for a user

with administrator rights.

© 2017 Devolutions inc.

168 | Devolutions Server

Sessions with Security Groups

3. Tree View after Security Groups are assigned to Group Folders and before creating Roles for a user

without administrator rights.

Sessions without Roles permissions on Security Groups

4. Tree View after Security Groups are assigned to Group Folders and after creating Roles for a user

without administrator rights.

Sessions with Roles permissions on Security Groups

7.7

How to Con figu re Sch edu ler in Devolu tion s Server

Description

© 2017 Devolutions inc.

Contents | 169

These steps provide the information on how to configure the Scheduler feature in Devolutions Server and the IIS Manager. This will permit to enable the Backup and the Notification feature in the Scheduler section of the Devolutions Server settings.

Steps

1. The Application Initialization Server Role must be activated on the server where the Devolutions

Server instance is hosted. It is possible to check if this Server Role is installed with the

Server

Diagnostic

tool from the server console. If the Application Initialization Server Role is already installed, continue on step 4.

IIS Features Diagnostic dialog

2. To install the Application Initialization Server Role, open the Server Manager on the machine where the Devolutions Server instance is hosted and in the Manage drop down menu, select Add Roles and

Features.

© 2017 Devolutions inc.

170 | Devolutions Server

Server Manager dialog

3. In the Server Roles tab, expand the branch Web Server (IIS) - Web Server - Application

Development and tick the Application Initialization option box. Click on the Next button until the Install button is available and click on it to install the Server Role.

© 2017 Devolutions inc.

Contents | 171

Add Roles and Features Wizard dialog

4. Open IIS Manager and expand the tree view and select Application Pools. In the Application Pools list, select your web application and click on Advanced Settings in the Actions panel on the right.

Then, change the Start Mode option to the value AlwaysRunning.

© 2017 Devolutions inc.

IIS Manager Advanced Settings

172 | Devolutions Server

5. Still in the Advanced Settings, set the Idle Time-Out (minutes) option and the Regular Time Interval

(minutes) option to the value 0.

Application Pool Advanced Settings dialog

© 2017 Devolutions inc.

Contents | 173

Application Pool Advanced Settings dialog

6. Next, select the IIS root node, the one with the server name, and double-click on the Configuration

Editor icon.

© 2017 Devolutions inc.

174 | Devolutions Server

IIS Manager

7. In the Section drop down menu, select system.applicationHost/applicationPools. Then, click on the ellipsis button of the Collection line.

IIS Manage Configuration Editor dialog

8. In the Collector Editor dialog, select the Devolutions Server web application. Then, set the autoStart parameter to the value True and set the startMode parameter the the value AlwaysRunning. You can close the Collection editor.

© 2017 Devolutions inc.

Contents | 175

Collection editor dialog

9. In the Section drop down menu, select system.applicationHost/serviceAutotStartProviders. Then, click on the ellipsis button of the Collection line.

IIS Manage Configuration Editor dialog

10. In the Collector Editor dialog, click on the Add link in the Actions panel on the right.Fill in the name field with the value

DVLSSchedulerProvider

and fill in the field type with the value

PreLoader,

Devolutions.Server

. Be sure to put a space character just after the coma. You can close the

Collection editor.

© 2017 Devolutions inc.

176 | Devolutions Server

Collection Editor dialog

11. In the Section drop down menu, select system.applicationHost/sites. Then, click on the ellipsis button of the Collection line.

IIS Manage Configuration Editor dialog

12. Next, select the Default Web Site collection and on the Collection line, click on the ellipsis button.

© 2017 Devolutions inc.

Contents | 177

Collection editor dialog

13. Select the web application of the Devolutions Server instance and set the serviceAutoStartProvider parameter with the value scheduleProvider

. You can close every Collection Editor dialogs.

Collection Editor dialog

14. To save these modifications, close the IIS Manager or click anywhere in the tree view of the IIS

Manager and click on the Yes button to save everything.

© 2017 Devolutions inc.

178 | Devolutions Server

Configurator Editor save dialog

15. If the Integrated Security option is activated in the

Database

tab of the Devolutions Server instance, the SQL user account must have the db_backupoperator database role if he is not set as the db_owner.

SQL login properties dialog

© 2017 Devolutions inc.

Contents | 179

7.8

How to Con figu re Notification s

Description

These steps provide information on how to configure Notifications of activities on a Devolutions Server instance.

Steps

The Email

settings must be configured in the Devolutions Server instance in order for notifications to be sent.

1. In the Server settings, select the Notifications tab. To activate the notifications, check the Allow

notification subscription option and change the Time Zone for the appropriate time zone. Click on the Save button.

© 2017 Devolutions inc.

180 | Devolutions Server

Scheduler tab

2. On the Administration menu, click on the Notifications icon.

Administration ribbon - Notifications

3. On the left column, select the user that will receive the email notifications and check all notifications type the user should receive.

© 2017 Devolutions inc.

Contents | 181

Notifications dahsboard

4. Click on the Save button to save the configuration.

Notifications console

Configure more than one Entries, Connection Opened Notifications or Todos

1. Click on the plus icon at the right to add a new Entries Notification.

Entries Notification

2. Enable a second Entries Notification. It can be set on a particular Group Folder like the following example. The first Notification will be send when a user add a session anywhere in the Data Source.

The second Notification will occur when someone deletes a session in the

Windjammer\Corporate\Servers Group Folder.

© 2017 Devolutions inc.

182 | Devolutions Server

Two Entries Notifications

3. It is also possible to set multiple notifications on Open Connections and Todos.

Opened Connections Notifications

Todos Notifications

7.9

How to en able th e Devolu tion s Server logs

Description

The Log debug information option must be enabled in order to view the logs. Consult the

Logging

topic for more information.

From the Devolutions Server Console, click on the View logs icon.

© 2017 Devolutions inc.

Devolutions Server Console

Select the log entry to view the details in the bottom section.

Contents | 183

Devolutions Server Log tab

7.10

How to import u sers from LDAP

Description

The Domain authentication method must be activated to be able to import users from

LDAP. Consult the

Authentication

topic for more information.

From the Devolutions Server Console, click on the Import Users icon.

Devolutions Server Console

© 2017 Devolutions inc.

184 | Devolutions Server

Select the users you want to add and click on the Import button.

Import Users from LDAP dialog

7.11

How to con figu re Win dow s Au th en tication

Description

These steps provide the information to enable the Windows Authentication feature in Devolutions Server.

Steps

1. In the Authentication tab of the Server Settings of the Devolutions Server instance, enable the Enable

Windows Authentication option box and click on the Save button.

© 2017 Devolutions inc.

Server Settings dialog

2. In the Server Roles, install the Windows Authentication server role.

© 2017 Devolutions inc.

Contents | 185

186 | Devolutions Server

Add Roles and Features Wizard dialog

3. Next, open the IIS Manager, select the server in the tree view and open the Feature Delegation in the

Management section.

© 2017 Devolutions inc.

Contents | 187

IIS Manager

4. Set the Authentication - Anonymous and the Authentication - Windows feature delegation to the value Read/Write.

IIS Manager - Feature Delegation

5. Finally, in the data source configuration of each clients, enable the Use Windows Authentication option.

© 2017 Devolutions inc.

188 | Devolutions Server

Data Source configuration dialog

© 2017 Devolutions inc.

Support/Resources

Part VIII

190 | Devolutions Server

8 Support/Resources

8.1

FAQ (Frequ en tly Asked Qu estion s)

What is Devolutions Server?

Devolutions Server is a specialized data source for our various client applications of the Remote

Desktop Manager and Password Vault Manager platforms.

Why buy Devolutions Server?

Ideal for businesses that would prefer to store their data in-house, want to deploy their own SSL certificate or firewall, or who need Active Directory integration with role management.

What are the key benefits of Devolutions Server?

Devolutions Server is installed on your hardware, in your environment, or with your ISP to give you total control of everything, including:

·

Active Directory integration

· Role management

· Hardware

· Operating System)

· Firewall / Application Deliveryd

· Load Balancing / Fault tolerant environment for the web server layer.

·

Database, including clustering / failover capabilities.

·

Backups

·

SSL certificates

Devolutions Server also offers an improved security model, as database access is limited to the server and no direct connection is established. This secure architecture is a significant improvement over standard client-server architecture. (SQL Server data source)

Can I get a trial of Devolutions Server?

Yes - Request a trial

Does Devolutions Server include a client license of Remote Desktop Manager?

Devolutions Server does not include any client licenses.

Is Devolutions Server subscription based?

Yes, Devolutions Server is subscription based. You can subscribe for one (1) year or three (3) years at a time. Giving you unlimited client connectivity for that period of time.

What if I no longer want/need a Devolutions Server? Is my data still accessible?

Yes, once your Devolutions Server subscription is expired you can still access the data using one of our applications. However the Devolutions Server data source will no longer be accessible. You will need to reconfigure your clients to connect directly to the database using a SQL Server data

© 2017 Devolutions inc.

Contents | 191 source. Since Active Directory integration will not be allowed anymore, you will need to reassign user permissions.

Can I upgrade from a SQL Server data source to Devolutions Server?

Yes, the underlying SQL server database structure for the SQL Server data source is a subset of the Devolutions Server database structure. When installing/configuring the Devolutions Server simply specify the existing database and choose upgrade.

Note: Before executing any database modification it is always a good idea to make sure you have a proper backup of the database.

Can I downgrade from a Devolutions Server down to SQL Server data source?

Yes, since the database for Devolutions Server is a superset of the SQL Server data source.

Simply connect to the database using the SQL Server data source and your sessions will all be available. Keep in mind that not all Devolutions Server features will be accessible when using the

SQL Server data source, you will need to review all security permissions.

8.2

Follow Us

Overview

Get the hottest information about our products - tips and tricks, case studies and new release announcements!

This is not a marketing newsletter. We focus on the issues that matter to you, whether you're looking for up-to-the-minute software tutorials, additional outside resources, or a peek at how others are using our products.

Links

Facebook http://facebook.remotedesktopmanager.com

LinkedIn

RSS feeds

Twitter

YouTube

Blog

Google+

Spicework

Forum http://linkedin.remotedesktopmanager.com

http://rss.remotedesktopmanager.com

http://twitter.remotedesktopmanager.com

http://youtube.remotedesktopmanager.com

http://blog.remotedesktopmanager.com

http://plus.remotedesktopmanager.com/ http://spice.devolutions.net

http://forum.devolutions.net

© 2017 Devolutions inc.

192 | Devolutions Server

8.3

Previou s Version s

Description

Here are the links to the pdf manuals of past releases.

Devolutions Server 4.0

Devolutions Server 3.2

Devolutions Server 3.0

Devolutions Server 2.5

8.4

Tech n ical Su pport

Standard Support plan

Support is solely through our online forums at http://forum.devolutions.net/ .

Extended and Premium support plans

Subscribers of a paid support plan receive an email address and a plan ID. You should send your support requests to the appropriate email address and provide your plan ID in the subject line.

You are also encouraged to find information and ask questions in our forums at http://forum.devolutions.net/ . They contain years of relevant information and have the benefit of being enriched for the whole community when we post an answer.

Please consult our Support Policy for more information.

8.5

Kn ow ledge Base

8.5.1

User Agent

User Agent of Remote Desktop Manager Enterprise - Windows Edition

The User Agent used by Remote Desktop Manager Enterprise - Windows Edition when it connects to

Devolutions Server is :

Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.42000)

8.5.2

Ports And Firewalls

Description

Devolutions Server in itself does not dictate which ports to use for any of the resources that it accesses.

You must consult with your system administrator to ascertain which adjustments need to be made in order for the system to inter-operate with your infrastructure.

Inbound

© 2017 Devolutions inc.

Contents | 193

The only inbound port that is needed for Devolutions Server if for http or https communication, as per your preference. We strongly recommend using https even if only within your own network infrastructure. Although the default port is easily changed, it is typically port 443.

Outbound

Two technologies are in play for proper operation of Devolutions Server : SQL Server, LDAP.

SQL Server

Depending on the choice of Default Instance or Named Instance that was made during the installation, the SQL Server instance will listen on different ports.

Using SQL Server Configuration Manager, you can see the details in the Protocols section

Sql Server Configuration Manager - Protocol details

In most cases, TCP/IP will be used for remote connections. You will be able to see what ports are in use. If you see that TCP Dynamic Ports are in play, they will change upon every restart of the SQL

Server instance and therefore are not a good fit for a hardened installation.

© 2017 Devolutions inc.

194 | Devolutions Server

TCP/IP Properties

For more information please consult SQL Server Configuration Manager on Technet

LDAP/LDAPS

As indicated in LDAPS on Technet , LDAP communications are by nature insecure under certain conditions:

By default, LDAP communications between client and server applications are not encrypted.

This means that it would be possible to use a network monitoring device or software and view the communications traveling between LDAP client and server computers. This is especially problematic when an LDAP simple bind is used because credentials (username and password) is passed over the network unencrypted. This could quickly lead to the compromise of credentials.

Follow the instructions for your operating system in order to establish LDAPS. It will involve deploying certificates generated using your of Certification Authority (CA).

LDAP by default uses port 389. Even when you enable LDAPS, it may use plain LDAP therefore it needs to be disabled, please consult

Enforcing usage of LDAPS .

LDAPS by default uses port 636 for typical domains, but will use port 3269 when communicating with a

Global Catalog Server (basically when you have a Forest). Your domain administrator should be able to provide you with details of your domain infrastructure, especially if custom ports were used. You can also use ldp.exe to perform connectivity tests.s

© 2017 Devolutions inc.

Contents | 195

8.5.3

Enforcing usage of LDAPS

Description

To require that a directory server rejects simple binds which occur on a clear text connection. you must apply a policy.

Please refer to How to enable LDAP signing in Windows Server 2008 for the original article, but we will duplicate the content here for ease of use (especially since we hard a hard time finding it ourselves...).

How to configure the directory to require LDAP server signing using Group

Policy

How to set the server LDAP signing requirement

1. Click Start, click Run, type mmc.exe, and then click OK.

2. On the File menu, click Add/Remove Snap-in.

3. In the Add or Remove Snap-ins dialog box, click Group Policy Management Editor, and then click

Add.

4. In the Select Group Policy Object dialog box, click Browse.

5. In the Browse for a Group Policy Object dialog box, click Default Domain Policy under the Domains,

OUs and linked Group Policy Objects area, and then click OK.

6. Click Finish.

7. Click OK.

8. Expand Default Domain Controller Policy, expand Computer Configuration, expand Policies, expand

Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.

9. Right-click Domain controller: LDAP server signing requirements, and then click Properties.

10. In the Domain controller: LDAP server signing requirements Properties dialog box, enable Define this policy setting, click to select Require signing in the Define this policy setting drop-down list, and then click OK.

11. In the Confirm Setting Change dialog box, click Yes.

How to set the client LDAP signing requirement through local computer policy

1. Click Start, click Run, type mmc.exe, and then click OK.

2. On the File menu, click Add/Remove Snap-in.

3. In the Add or Remove Snap-ins dialog box, click Group Policy Object Editor, and then click Add.

4. Click Finish.

5. Click OK.

6. Expand Local Computer Policy, expand Computer Configuration, expand Policies, expand Windows

Settings, expand Security Settings, expand Local Policies, and then click Security Options.

7. Right-click Network security: LDAP client signing requirements, and then click Properties.

8. In the Network security: LDAP client signing requirements Properties dialog box, click to select

Require signing in the drop-down list, and then click OK.

9. In the Confirm Setting Change dialog box, click Yes.

How to set the client LDAP signing requirement through a domain Group

Policy Object

1. Click Start, click Run, type mmc.exe, and then click OK.

2. On the File menu, click Add/Remove Snap-in.

3. In the Add or Remove Snap-ins dialog box, click Group Policy Object Editor, and then click Add.

4. Click Browse, and then select Default Domain Policy (or the Group Policy Object for which you want to enable client LDAP signing).

5. Click OK.

© 2017 Devolutions inc.

196 | Devolutions Server

6. Click Finish.

7. Click Close.

8. Click OK.

9. Expand Default Domain Policy, expand Computer Configuration, expand Windows Settings, expand

Security Settings, expand Local Policies, and then click Security Options.

10. In the Network security: LDAP client signing requirements Properties dialog box, click to select

Require signing in the drop-down list, and then click OK.

11. In the Confirm Setting Change dialog box, click Yes.

8.5.4

SQL Server Express configuration

Description

To be able to connect to a SQL database with Devolutions Server, here is the suggested configuration in

Microsoft SQL Server Express Edition.

Steps

Most of our customers use the mixed mode Server Authentication. As per Microsoft, it is not the safest authentication method to use with Microsoft SQL Server Express Edition but we recommend to use it to configure and test your Devolutions Server instance. After a successful installation of Devolutions

Server, you can set it back to Windows Authentication mode and set the Integrated Security option in the Database tab of the Devolutions Server Server Settings. Consult this topic on

How to Configure

Devolutions Server to use integrated security . To enable the mixed mode, in the Microsoft SQL Server

Management Studio, open the properties dialog of your server and go in the Security tab. Then, select the SQL Server and Windows Authentication mode option.

© 2017 Devolutions inc.

Contents | 197

The next option that needs to be activated is the Allow remote connections to this server option. You will find that option in the Connections tab of the SQL Server Properties dialog. Then, click on the OK button to save the modifications.

© 2017 Devolutions inc.

198 | Devolutions Server

Finally, the SQL Server Browser service must be started on the machine where the SQL Server is hosted. Please run services.msc and look for the SQL Server Browser in the list.

© 2017 Devolutions inc.

Contents | 199

We recommend to set the Startup type to Automatic for the SQL Server Browser service. Double-click on the service to open the properties dialog. Then, start the service by clicking on the Start button and select Automatic in the Startup type drop down menu. Finally, click on the OK button.

© 2017 Devolutions inc.

200 | Devolutions Server

8.5.5

Backup

Description

Here are the recommended steps to enable the Backup scheduler.

Steps

1. Create a network shared folder that the server which hosted the Devolutions Server instance and the

SQL Server will have access to.

2. Configure the Scheduler in the IIS Manager as explained in the following topic

How to Configure

Scheduler in Devolutions Server

3. Enable the Backup in the

Scheduler tab of the Devolutions Server Settings.

4. Configure the options in the Backup Manager. For more information please see Backup Manager .

8.5.6

Manage Encryption Keys on a High Availability Topology

Description

The encryption keys must be the same of each Devolutions Server instances of your High Availability

Topology.

Here are the steps to manage the encryption keys on that specific environment. If you have to upgrade

Devolutions Server, please upgrade one instance at a time.

1. Open the Devolutions Server Console on the first server.

2. Open the Advanced menu on the right of the Devolutions Server Console and click on Manage

Encryption Keys.

Devolutions Server Console

3. Set the Operation to Export, enter a password and click on the OK button.

© 2017 Devolutions inc.

Manage Encryption Keys dialog

4. Select a folder where to save the file and click on the Save button.

© 2017 Devolutions inc.

Contents | 201

202 | Devolutions Server

5. Copy the encryption file on the other server.

6. Go on another server where Devolutions Server is hosted and open the File Explorer in the

App_Data subfolder of your web application folder. Delete every encryption file you will find in that subfolder.

7. Open the Devolutions Server Console on the server. Then, open the Advanced menu on the right of the Devolutions Server Console and click on Manage Encryption Keys.

Devolutions Server Console

8. Set the Operation to Import and click on the OK button.

Manage Encryption Keys dialog

© 2017 Devolutions inc.

9. Select the encryption file and click on the Open button.

Contents | 203

Select the encryption file

10. Enter the password and click on the OK button.

Import Encryption Keys password dialog

11. Click on the Yes button on the Change encryption keys warning dialog. Because the encryption keys was deleted, this operation will not be completed on the database. It will use the same encryption keys as the other server.

© 2017 Devolutions inc.

204 | Devolutions Server

Change Encryption Keys warning dialog

8.6

Trou blesh ootin g

8.6.1

After Upgrading Server the Devolutions Server Console is Empty

Description

You have attempted to upgrade your Devolutions Server instance and the upgrade was not completed correctly. Now, your instance is not present in the Devolutions Server Console and your data source is not connected.

Devolutions Server Console empty

Instructions

1. Navigate to the %temp%\RDM folder and copy the content of the folder.

© 2017 Devolutions inc.

Contents | 205

2. Navigate to the folder where your Devolutions Server was deployed originally and paste the content of %temp%\RDM inside.

3. If you close and reopen your Devolutions Server Console, your instance should be present.

4. You can now proceed again with the upgrade of your server.

If the files are not present or the solution doesn't work, you will need to restore the backup that you have created in the preparation phase as described in

Upgrading Devolutions Server

8.6.2

Cannot Log in After DVLS Upgrade

Error

After upgrading Devolutions Server, users cannot authenticate anymore.

Error dialog at data source login attempt

© 2017 Devolutions inc.

206 | Devolutions Server

Error at login attempt from web interface

Cause 1

Please note that if the user name format used is only the Username instead one of

NETBIOS (Domain\Username) or UPN ([email protected]), it will be impossible to authenticate on Devolutions Server version 4.5. A DB Script will need to be run in order to prefix the domain name in the username field. We can send the script upon request, but we would prefer to perform this task with you in a remote session.

Cause 2

The account authentication type is not specified.

From the computer hosting the Devolutions Server instance, launch Remote Desktop Manager with elevated privileges. In the Ribbon, navigate to Tools - Devolutions Server Console.

Remote Desktop Manager - Tools - Devolutions Server Console

© 2017 Devolutions inc.

Contents | 207

Select the Devolutions Server instance and click on the User Management button.

Devolutions Server Console - User Management

Edit each user and verify if the Authentication type can be edited. If the field can be edited, this means that the authentication type is not specified and was guessed by the application.

DO NOT CHANGE THE AUTHENTICATION TYPE.

Simply click on the OK button to save the authentication type.

If the authentication type is already saved in the database, it is not possible to change to another authentication type.

User Management

It is also possible to use the Batch Edit feature in the User Management to edit all selected users at the same time.

© 2017 Devolutions inc.

208 | Devolutions Server

User Management - Batch Edit

Check the second Override box, and select the correct Authentication type.

If the authentication type is saved in the database, it will not be possible to change it later. Make sure to select the correct authentication type before saving any modification.

Batch Edit - Override Authentication Type

8.6.3

Failed Request Tracing with IIS

Description

This topic will present how to install and configure a Failed Request Tracing Log rule for troubleshooting

HTTP 500 error issues on the IIS site.

·

Enable Failed Request Tracing in IIS

A detailed step by step to add the role on a Windows Server 2012R2.

© 2017 Devolutions inc.

Contents | 209

·

Configure Failed Request Tracing

Configuration needed for troubleshooting HTTP 500 error issues.

·

Consult the Failed Request Tracing log

Where and how to look at the Failed Request Tracing logs.

For more information about Failed Request Tracing, please visit https://www.iis.net/configreference/system.webserver/tracing/tracefailedrequests .

8.6.3.1

Enable Failed Request Tracing in IIS

Enable Failed Requests Tracing in IIS

The following steps are applicable on Windows Server 2012R2.

1. Open the Server Manager. Choose Add Roles and Features from the Manage menu.

Server Manager - Add Roles and Features

2. Select the installation type and then click Next.

© 2017 Devolutions inc.

210 | Devolutions Server

Select installation type

3. Select the destination server and then click Next.

© 2017 Devolutions inc.

Contents | 211

Select destination server

4. On the Select server role page, expand the Web Server (IIS) role, expand Web Server and expand

Health and Diagnostics. Then select Tracing and click Next.

© 2017 Devolutions inc.

212 | Devolutions Server

5. On the page Select features, click Next.

Select server roles

© 2017 Devolutions inc.

Select features

6. On the page Confirm installation selections, click Install.

© 2017 Devolutions inc.

Contents | 213

214 | Devolutions Server

7. On the Results page, click Close.

Confirm installation selections

© 2017 Devolutions inc.

Contents | 215

8.6.3.2

Configure Failed Request Tracing

Configure Failed Requests Tracing

Installation progress

The following steps are applicable on Windows Server 2012R2.

1. In the Server Manager, click on the Tools menu and open the Internet Information Services (IIS)

Manager

© 2017 Devolutions inc.

Server Manager

216 | Devolutions Server

2. In the IIS Manager, expand the Web site (VWINDSRV-RDMS2), expand Sites and then select

Default Web Sites.

Internet Information Services (IIS) Manager

3. On the right, in the Actions pane, select Failed Requests Tracing....

© 2017 Devolutions inc.

Contents | 217

Actions pane

4. Select the Enable check box and then click OK. The Directory target and the Maximum number of trace files can be modified.

© 2017 Devolutions inc.

Edit Website Failed Request Tracing Settings

218 | Devolutions Server

5. Expand Default Web Site and select the Web site to be traced.

Internet Information Services (IIS) Manager

6. Double click on the Failed Request Tracing Rules icon of the selected Web Site.

© 2017 Devolutions inc.

Internet Information Services (IIS) Manager

7. In the Actions pane on the right, click on Add... to add a new rule.

Failed Request Tracing Rules

8. Select ASP.NET (*.aspx) and click Next.

© 2017 Devolutions inc.

Contents | 219

220 | Devolutions Server

Specify Content to Trace

9. Select the Status Code(s) check box. Enter the type of the status code to be traced, in this case type in the status code 500, and click Next.

© 2017 Devolutions inc.

Contents | 221

Define Trace Conditions

10. The last setting is to select the providers of the tracing. Select ASPNET and WWW Server. For each of them, set the Verbosity to Verbose. Finally, check all Areas settings for these two providers and click Finish.

© 2017 Devolutions inc.

222 | Devolutions Server

11. The tracing rule is now defined.

Select Trace Providers

Failed Request Tracing rule defined

8.6.3.3

Consult the Failed Request Tracing log

Consult the Failed Request Tracing log

With Failed Request Tracing enabled, the logs files are created and populated in the directory set up on step

Edit Website Failed Request Tracing Settings . By default, the path is %SystemDrive%

© 2017 Devolutions inc.

Contents | 223

\inetpub\logs\FailedReqLogFiles. In this place, a folder typically named W3SVC1 will be created when the first case happen.

There will be an XSL file (freb.xsl) for the display style in an XML viewer like Internet Explorer. Also, the most important, the XML files (fr######.xml). Open an XML file to view the log triggered by the tracing rule.

Failed Request Tracing log folder

Here is an example of a Failed Request Tracing log :

8.6.4

IIS Logging

Description

© 2017 Devolutions inc.

Failed Request Tracing log

224 | Devolutions Server

Here is the description of desired settings when we troubleshoot a performance/connectivity issue related to the client application.

IIS Web Site Logging

1. Open IIS Manager and go in the Logging settings.

2. Click on Select Fields

IIS Manager

© 2017 Devolutions inc.

Logging panel

3. We recommend that AT LEAST the following fields be selected:

© 2017 Devolutions inc.

Contents | 225

226 | Devolutions Server

Field selection dialog

Application pool recycle

The application pool that is in fact running the instance can be restarted for a multitude of reasons. It may be useful to know when those recycles occur as well as the reasons. Go in the Application pools section of the IIS manager, then open the Advanced settings for your application pool. Enable all of the Recycle events, it will create a log entry in the Windows Event Log.

© 2017 Devolutions inc.

Contents | 227

Advanced settings for an Application Pool.

8.6.5

Server Diagnostic

Description

The server diagnostic validates if all the necessary IIS features are enabled to run Devolutions Server properly.

Settings

Remote Desktop Manager Enterprise - Windows Edition must be started with elevated privileges when the Devolutions Server Console needs to be used.

The server diagnostic is available from the Tools -> Devolutions Server Console menu

Devolutions Server Console

This diagnostic will verify if all the IIS features are installed properly.

© 2017 Devolutions inc.

228 | Devolutions Server

The Application Initialization warning is about our new Backup feature that is not fully functional. You can ignore the warning safely.

8.6.6

Web interface content looks wrong

Description

If you have completed your Devolutions Server installation and it's Web interface isn’t displaying properly (as shown below), here are some steps to follow to resolve the issue.

© 2017 Devolutions inc.

Contents | 229

Devolutions Server Web interface

Steps

1. Proceed to an

IIS Features Diagnostic and verify if all the ISS features are on and installed properly.

If you see that your Static Content hasn't been properly installed you will need to enable that Windows

Feature.

© 2017 Devolutions inc.

230 | Devolutions Server

IIS Features Diagnostic

2. In Windows Features, under World Wide Web Features - Common HTTP Features verify if the option Static Content is turned on.

© 2017 Devolutions inc.

Contents | 231

Windows Features

8.6.7

Login failed

Description

When trying to log in with the web interface of the Devolutions Server, you can possibly get a Login

failed error.

Cause 1

The Login failed for user 'Domain\ServerName$ error with a '$' at the end of the server name is caused by a wrong setting of the Application Pool Identity in Internet Information Services Manager (IIS). The

Application Pool Identity must be set with a specific account when activating the Integrated Security option in the

Server Settings of Devolutions Server. For more information about Integrated security,

please refer to

How to Configure Devolutions Server to use integrated security .

© 2017 Devolutions inc.

232 | Devolutions Server

Login failed for user 'Domain\ServerName$'

Steps

1. Please open the IIS Manager and select the Application Pools in the Connections pane. Then, select the Application of your Devolutions Server and click on the Advanced Settings from the Actions pane.

IIS Manager - Application Pools

2. On the Advanced Settings dialog, select Identity and click on the ellipsis button on the right.

© 2017 Devolutions inc.

Application Pools - Advanced Settings

3. Select Custom account and click on the Set... button.

© 2017 Devolutions inc.

Contents | 233

234 | Devolutions Server

Application Pool Identity

4. Fill in the credentials and click on the OK button. This account must have the proper rights in order to run the web interface of the Devolutions Server.

Set Credentials

5. Now the Application Pool Identity is set with an account with proper rights for running this application.

© 2017 Devolutions inc.

Contents | 235

Advanced Settings

Cause 2

The Login failed for user 'IIS APPPOOL\ApplicationPoolName' error is related to insufficient permissions for the ApplicationPoolIdentity or inexisting user ApplicationPoolName on the SQL database. I when the SQL Server and Devolutions Server are hosted on the same machine.

© 2017 Devolutions inc.

236 | Devolutions Server

Login failed for user 'IIS APPPOOL\ApplicationPoolName'

Steps

1. Using Microsoft SQL Server Management Studio, right-click on the Security branch and select New -

Login.

SQL Server Management Studio

2. For the login, type IIS APPPOOL\AppPoolName and DO NOT CLICK SEARCH (If a search is executed, it will resolve to an account with ServerName\AppPoolName and SQL will be unable to resolve the account’s SID since it is virtual).

© 2017 Devolutions inc.

Contents | 237

Create SQL User

3. Please follow the instructions from step 4 of the online help page

How to Grant access to SQL Server instance .

8.6.8

Error Uploading Document

Description

You get a HTTP 413 error when trying to upload or attach a document to an existing entry.

© 2017 Devolutions inc.

238 | Devolutions Server

Error message dialog

Steps

1. Open the IIS Manager on the server where Devolutions Server is hosted.

2. Expand the tree view and select the Devolutions Server web application name and open the

Configuration Editor in the Management section.

© 2017 Devolutions inc.

Contents | 239

IIS Manager

3. Select the value system.webServer/serverRuntime in the Section drop down menu. Then, increase the value of the uploadReadAheadSize parameter. This value is in bytes so if you want to load a

50MB file, you have to change the value to 51200.

© 2017 Devolutions inc.

240 | Devolutions Server

IIS Configuration Editor

For more information about these settings, you can consult this web page https://www.iis.net/configreference/system.webserver/serverruntime

8.6.9

The remote server returned an error (405) Method Not Allowed

Description

You get the following Error message dialog when you try to create or modify an entry.

Error message dialog

© 2017 Devolutions inc.

Contents | 241

Steps

Please note that you will have to restart the server after removing the WebDAV

Publishing role to complete the procedure.

1. On the server where the Devolutions Server instance is hosted, open the Server Manager application.

2. Then, open the Remove Roles and Features in the Manage menu.

Server Manager

3. In the Server Roles, uncheck the WebDAV Publishing role.

© 2017 Devolutions inc.

Remove Roles and Features Wizard dialog

242 | Devolutions Server

4. Click on the Remove button to uninstall the WebDAV Publishing role from the server.

Remove Roles and Features Wizard dialog

8.6.10 Blank login page on a Windows Server 2008R2

Description

When you open the web page of the Devolutions Server instance, the web page is blank. This is due to a malformed XML web.config file because of a specific parameter that is not supported by IIS version 7 or 7.5. And also a missing json application MIME type in the web application.

These steps are suitable for version 4.0.7.0 and above.

Steps

1. Edit the web.config file that is located into the client1.0.0-1 subfolder of the Devolutions Server web application folder.

© 2017 Devolutions inc.

Contents | 243

Devolutions Server web application folder

2. Remove the setEtag="false" parameter from the web.config file and save the file.

web.config file

3. Next, open IIS Manager and select the node with your web server name. Then, double-click on the

MIME Types icon.

© 2017 Devolutions inc.

244 | Devolutions Server

IIS Manager

4. In the MIME Type list, if the .json entry doesn't already exist, click on the Add link in the Actions panel on the right and fill in the appropriate field. Set the File name extension field with the value

.json and the MIME type field with the value application/json and click on the OK button.

© 2017 Devolutions inc.

Contents | 245

Add .json MIME type

5. No needs to reboot the server or recycle the IIS server after these modifications.

8.6.11 Duplicate Devolutions Server instance

Description

When you open the Devolutions Server Console, two instances of the same Devolutions Server are visible in the console. One with only a "/" as the Web Application Name.

Devolutions Server Console

Cause 1

Using the default parameters of the IIS Manager, the Default Web Site points to the same Physical Path of the Devolutions Server web application.

Steps

Change the the path of the Web Site in the IIS Manager.

© 2017 Devolutions inc.

246 | Devolutions Server

1. Open IIS Manager, select the Web Site that contains the Devolutions Server web application and click on Advanced Settings in the Actions panel on the right.

IIS Manager

2. Change the Physical Path of the Web Site from the Devolutions Server subfolder to the parent folder.

© 2017 Devolutions inc.

Contents | 247

© 2017 Devolutions inc.

Web Site Advanced Settings - Before the Physical Path modification

248 | Devolutions Server

Web Site Advanced Settings - After the Physical Path modification

3. Restart your IIS Server.

IIS Manager

4. On the Devolutions Server Console, click on the Refresh button and just one instance should be displayed.

© 2017 Devolutions inc.

Contents | 249

Devolutions Server Console

Cause 2

When the Web Site is located in a different folder then the default one used by the IIS Manager, the

Web Site points to the same Physical Path of the Devolutions Server web application.

Devolutions Server Console

Steps

To have only one Devolutions Server instance without any duplicate, the Physical path of the instance must be points to a subfolder of the Web Site Physical Path.

1. Open the Windows Explorer and create a folder in the Physical Path of the Web Site. In the image below, the name of the new folder is DVLS. It can be another folder name that fits your needs.

© 2017 Devolutions inc.

250 | Devolutions Server

Windows Explorer

2. Move the selected files and folders into that new subfolder, i.e. DVLS.

Windows Explorer

3. Open the IIS Manager and select the Devolutions Server web application in the tree view and click on Advanced Settings in the Action panel on the right.

© 2017 Devolutions inc.

IIS Manager

4. Change the Physical Path to point to the new folder created in step 1.

© 2017 Devolutions inc.

Contents | 251

252 | Devolutions Server

Advanced Settings dialog

5. To restart your IIS Server, select the root in the tree view and click on Restart in the Actions panel on the right.

IIS Manager

6. On the Devolutions Server Console, click on the Refresh button and just one instance should be displayed.

© 2017 Devolutions inc.

Contents | 253

Devolutions Server Console

8.6.12 Cryptographic Exception - The parameter is incorrect error message

Description

After the upgrade of Remote Desktop Manager to version 12.5.x on the server where the Devolutions

Server instance version 4.0.7.0 is hosted, the encryption.config file is updated if you change the configuration of the instance.

System.Security.Cryptography.CryptographicException error message dialog

Steps

The XML tags are not recognized by Devolutions Server and they must be replaced by the old XML tags.

© 2017 Devolutions inc.

254 | Devolutions Server

1. Go in the App_Data folder that is located web application folder of the DVLS instance. If the default value is used, the installation path is C:\inetpub\wwwroot\DVLS\App_Data.

2. Edit the encryption.config file.

3. Remove the line with the <SafeAttachmentStorageKey> tag.

4. Change the tag <SafeLoginKey> to <SafeRsaKey>. Don't forget to also change the closing tag to

</SafeRsaKey>.

5. Change the tag <SafeTokenStorageKey> to <SafeAesKey>. Don't forget to also change the closing tag to </SafeAesKey>.

The encryption.config file before the modification : encryption.config file before modification

The file after the modification :

encryption.config file after modification

Every time someone modify the configuration of the DVLS instance, these steps have to be repeated.

© 2017 Devolutions inc.

Index

- A -

Application pool identity 231

- H -

high availability 12

- L -

LDAPS 195

licence license renew key 114

load balancing 12

- O -

on premise 8

- S -

scheduler 168

- T -

topology 12

© 2017 Devolutions inc.

Contents | 255

advertisement

Key Features

  • Self-hosted repository
  • Web-based password vault
  • Session management
  • Full Active Directory integration
  • Two-factor authentication
  • IP restrictions
  • Security aspects
  • Syslog integration
  • Scheduler
  • System policies

Frequently Answers and Questions

What is Devolutions Server?
Devolutions Server is a self-hosted repository and management platform that provides a secure way to store, share, and manage remote connections, credentials, and sensitive information.
What are the system requirements for Devolutions Server?
Devolutions Server requires Microsoft .Net Framework 4.5.2, Microsoft SQL Server 2012/2014/2016 (including Express editions), Internet Information Services (IIS) 7.0 or better, and Remote Desktop Manager Enterprise - Windows Edition.
How do I install Devolutions Server?
You can install Devolutions Server on a single server or across multiple servers in different topologies. The installation process involves configuring the web server, database server, and creating a Devolutions Server instance.

Related manuals

Download PDF

advertisement

Table of contents