Devolutions Server 4.6

4.6
Contents
| 3
Table of Contents
Part I Overview
7
8
1.......................................................................................................................................................................................
What is Devolutions Server?
9
2.......................................................................................................................................................................................
Features
.......................................................................................................................................................................................
11
3 System Requirements
.......................................................................................................................................................................................
12
4 Topologies
.......................................................................................................................................................................................
16
5 Fault Tolerance
Part II Getting Started
17
.......................................................................................................................................................................................
19
1 Security Checklist
.......................................................................................................................................................................................
19
2 Small Business Edition
Part III Installation
21
.......................................................................................................................................................................................
23
1 Web role - Install 2012R2
.......................................................................................................................................................................................
26
2 Web role - Install pre 2012R2
.......................................................................................................................................................................................
27
3 Database Instance
.......................................................................................................................................................................................
28
4 Create Devolutions Server instance
Part IV Upgrading Devolutions Server
43
.......................................................................................................................................................................................
46
1 Upgrading to 3.0
.......................................................................................................................................................................................
46
2 Upgrading to 3.2
.......................................................................................................................................................................................
50
3 Upgrading to 4.0
.......................................................................................................................................................................................
51
4 Upgrading to 4.5
.......................................................................................................................................................................................
51
5 Upgrading to 4.6
Part V Management
53
.......................................................................................................................................................................................
54
1 Devolutions Server Console
.......................................................................................................................................................................................
55
2 Authentication
.......................................................................................................................................................................................
57
3 Security
Security Group
Management
..........................................................................................................................................................
58
User Management
.......................................................................................................................................................... 59
Role Management
.......................................................................................................................................................... 61
LDAP over
SSL
..........................................................................................................................................................
62
.......................................................................................................................................................................................
62
4 Advanced
Manage Encryption
Keys
..........................................................................................................................................................
63
.......................................................................................................................................................................................
64
5 Server Settings
General .......................................................................................................................................................... 64
Database .......................................................................................................................................................... 65
Authentication
.......................................................................................................................................................... 66
© 2017 Devolutions inc.
3
4|
Devolutions Server
Domain .......................................................................................................................................................... 68
2-Factor Authentication
.......................................................................................................................................................... 70
Google
.........................................................................................................................................................
Authenticator
71
Yubikey
......................................................................................................................................................... 71
SafeNet
......................................................................................................................................................... 71
Duo ......................................................................................................................................................... 72
AuthAnvil
......................................................................................................................................................... 72
Email
......................................................................................................................................................... 72
SMS......................................................................................................................................................... 73
Azure
.........................................................................................................................................................
MFA
73
Radius
......................................................................................................................................................... 73
Vasco
......................................................................................................................................................... 74
Security .......................................................................................................................................................... 74
GeoIP Security
.......................................................................................................................................................... 76
IIS
.......................................................................................................................................................... 77
Email
.......................................................................................................................................................... 78
User Interface
.......................................................................................................................................................... 80
Logging .......................................................................................................................................................... 82
Features .......................................................................................................................................................... 84
Scheduler.......................................................................................................................................................... 85
Advanced.......................................................................................................................................................... 86
Part VI Web Interface
89
.......................................................................................................................................................................................
91
1 Home
.......................................................................................................................................................................................
95
2 Connections
.......................................................................................................................................................................................
96
3 Administration
.......................................................................................................................................................................................
98
4 Reports
.......................................................................................................................................................................................
100
5 Tools
Part VII How -To
101
.......................................................................................................................................................................................
102
1 How to Configure Client Data Source
.......................................................................................................................................................................................
104
2 How to Configure Devolutions Server to use integrated security
How to Grant
access to SQL Server instance
..........................................................................................................................................................
105
.......................................................................................................................................................................................
110
3 How to Configure SSL
.......................................................................................................................................................................................
114
4 How to update your registration serial after a renewal
.......................................................................................................................................................................................
116
5 How to Configure Two-factor Authentication (2FA)
Email settings
.......................................................................................................................................................... 122
SMS settings
.......................................................................................................................................................... 127
SMS
.........................................................................................................................................................
Free
127
SMS
.........................................................................................................................................................
Twilio
135
SafeNet ..........................................................................................................................................................
settings
140
Azure MFA
settings
..........................................................................................................................................................
149
Radius settings
.......................................................................................................................................................... 154
Vasco settings
.......................................................................................................................................................... 159
.......................................................................................................................................................................................
160
6 How to Configure Security Groups and Roles with AD Integration
.......................................................................................................................................................................................
168
7 How to Configure Scheduler in Devolutions Server
.......................................................................................................................................................................................
179
8 How to Configure Notifications
.......................................................................................................................................................................................
182
9 How to enable the Devolutions Server logs
© 2017 Devolutions inc.
Contents
| 5
.......................................................................................................................................................................................
183
10 How to import users from LDAP
.......................................................................................................................................................................................
184
11 How to configure Windows Authentication
Part VIII Support/Resources
189
.......................................................................................................................................................................................
190
1 FAQ (Frequently Asked Questions)
.......................................................................................................................................................................................
191
2 Follow Us
.......................................................................................................................................................................................
192
3 Previous Versions
.......................................................................................................................................................................................
192
4 Technical Support
.......................................................................................................................................................................................
192
5 Knowledge Base
User Agent
.......................................................................................................................................................... 192
Ports And
Firewalls
..........................................................................................................................................................
192
Enforcing
usage of LDAPS
..........................................................................................................................................................
195
SQL Server
Express configuration
..........................................................................................................................................................
196
Backup .......................................................................................................................................................... 200
Manage ..........................................................................................................................................................
Encryption Keys on a High Availability Topology
200
.......................................................................................................................................................................................
204
6 Troubleshooting
After Upgrading
Server the Devolutions Server Console is Empty
..........................................................................................................................................................
204
Cannot Log
in After DVLS Upgrade
..........................................................................................................................................................
205
Failed Request
Tracing with IIS
..........................................................................................................................................................
208
Enable
.........................................................................................................................................................
Failed Request Tracing in IIS
209
Configure
.........................................................................................................................................................
Failed Request Tracing
215
Consult
.........................................................................................................................................................
the Failed Request Tracing log
222
IIS Logging
.......................................................................................................................................................... 223
Server Diagnostic
.......................................................................................................................................................... 227
Web interface
content looks wrong
..........................................................................................................................................................
228
Login failed
.......................................................................................................................................................... 231
Error Uploading
Document
..........................................................................................................................................................
237
The remote
server returned an error (405) Method Not Allowed
..........................................................................................................................................................
240
Blank login
page on a Windows Server 2008R2
..........................................................................................................................................................
242
Duplicate
Devolutions Server instance
..........................................................................................................................................................
245
Cryptographic
Exception - The parameter is incorrect error message
..........................................................................................................................................................
253
© 2017 Devolutions inc.
5
Overview
Part I
8|
Devolutions Server
1
Overview
1.1
What is Devolutions Server?
Description
Devolutions Server is an on-premise repository for storing and
sharing remote connections, credentials and sensitive information.
Since it is an on-premise solution, it becomes quite a unique offering
as it offers what seems to be a consumer grade experience, in a
corporate grade solution.
There are two ways of using Devolutions Server
Web based Password Vault
Browser access & Devolutions Web Login
Add, edit, or delete entries of various types.
Passwords can be viewed directly using a web
browser. Credentials can be automatically
submitted by our Devolutions Web Login when
installed in a supported web browser.
Note that remote access technologies (RDP,
VNC, etc) are not supported within a web
browser.
Password Vault and Session Management
Client application (desktop or mobile)
Devolutions Server runs on an application server
and it offers storage services, caching, and many
advanced features to our client applications.
Full edition capabilities, including more supported
entry types, make our Devolutions Server the
preferred tool for IT specialists.
Unlike with browser access, Remote Desktop
Manager can launch sessions using remote
access technologies.
Highlights
© 2017 Devolutions inc.
Contents
High-End Server
Full Active Directory (AD)
Integration
Installed on-premise on an
Users accessing the system will
application server. Store an
be granted permissions based on
unlimited amount of entries and their membership in specific AD
manage access to these entries
groups, making user
with our Role Based Security management almost seamless for
System.
organizations that use AD to
manage teams.
1.2
| 9
Sharing
Share your sessions,
credentials, and sensitive data
with multiple users.
Web Architecture
Web Access
Database Isolation
Implemented using a Web
architecture so it can exposed
publicly on the Internet or only
to your Intranet or private
cloud.
Paired together to ease
credential management, use a
web browser to manage the
content of your shared data
source, and our Devolutions Web
Login to automatically log in to
web sites.
The SQL database is protected
from direct user access. This
may be required in order to be
compliant with a security
regulation at the corporate or
legal level. (HIPAA, PCI, etc.)
Two-Factor
Authentication
Email Notifications
IP Restrictions
Widest choice of Two-factor
authentication (2FA) providers.
Many providers can be enabled
concurrently. They can
selectively be enforced per
user.
Optionally receive email
notifications for various events on
sessions, users, roles, etc.
Controlling access to
Devolutions Server from IP
addresses / ranges, including
GeoIP restriction and IP
whitelisting / blacklisting
Features
Description
Caching
Server caching for better performance, this is in addition to the optional client-side
caching built in our desktop/mobile clients.
© 2017 Devolutions inc.
10 |
Devolutions Server
User Management
Role based security system that grants permissions based on role membership. Roles
which can be direct tie-ins to Active Directory groups.
Two-Factor Authentication
Widest choice of 2-Factor authentication providers, as well as granularity at the user
level over which provider is used.
IP Restrictions
· Controlling access to Devolutions Server from IP addresses / ranges.
o GeoIP restriction
o IP whitelisting / blacklisting
· Login history
· Failed login attempts history
Security Aspects
· Inherited permissions which can be granular down to entries (view, add, edit, delete)
· Connection data encryption with passphrase or certificate.
· Per machine setting/credential custom values
Syslog Integration
Centralize all your logs in a protected repository.
Active Directory Integration
· Windows authentication
· Role based security system bound to Active Directory Groups for automatic grant of
permissions.
· Automatic user account creation based on Active Directory, optionally limited to a
specific AD group
Scheduler
· Backup: scheduled backup for the SQL Database and instance data.
· Notifications: used to send email notifications to specific users that include any
activities on sessions, roles, users, etc.
© 2017 Devolutions inc.
Contents
| 11
System Policies
Control features available to users.
History of Changes
Monitor user activity for changes in users, roles, repositories, and data source settings.
Unlimited Entries
Although we do not limit the number of entries that can be stored in your instance, there
comes a point where the performance is severely affected by the sheer volume of data
exchanged between the client and server. This is made worse by using custom images
and storing sizable notes within entries. The solution is to make use of the repositories
feature.
Desktop / Mobile clients
The client applications offer the most required features to meet an IT specialist daily challenges,
supporting a great number of remote access technologies, such as RDP, VNC, SSH, and more. IT
professionals of our community mostly use Remote Desktop Manager.
1. Remote Desktop Manager
· Remote Desktop Manager
· Remote Desktop Manager
· Remote Desktop Manager
· Remote Desktop Manager
· Remote Desktop Manager
2. Password Vault Manager
· Password Vault Manager
· Password Vault Manager
· Password Vault Manager
· Password Vault Manager
· Password Vault Manager
1.3
Enterprise - Windows Edition
Enterprise - Mac Edition
- Android Edition
- iOS Edition
- Amazon FireOS Edition
Enterprise - Windows Edition
Enterprise - Mac Edition
- Android Edition
- iOS Edition
- Amazon FireOS Edition
System Requirements
Minimum Requirements
Devolutions Server needs Microsoft .Net Framework 4.5.2 to function, but Remote
Desktop Manager 12.0 requires version 4.6. Please adapt your environment
depending on which version you are running.
· Microsoft .Net Framework 4.5.2
· Please refer to the requirements for the .Net Framework for operating systems, as it is the
driving force behind the requirements of our applications.
· 500+ MB hard drive capacity.
© 2017 Devolutions inc.
12 |
Devolutions Server
64-bit Support
Devolutions Server is compatible with all 64-bit versions of Windows.
Dependencies
· Microsoft SQL Server 2012/2014/2016 (including Express editions)
· Internet Information Services (IIS) 7.0 or better.
· Remote Desktop Manager Enterprise - Windows Edition must be installed on the server to
manage the Devolutions Server instance(s).
Server sizing
Many customers often ask how to properly customize their servers for various topologies. This is
essentially unreliable because the way the system is used has a significant impact on the
resource usage of each node within the chosen Topology.
For a proper estimate, the following aspects must be considered:
o Number of entries stored in your instance (server details, credentials, etc.).
o Churn of these entries; do you create entries daily or are they quite static?
o Number of concurrent users that connect to the Devolutions Server instance during peak
times.
o Usage of information by the users. Are they launching 10 sessions at a time, doing a batch
operation that takes a few minutes, then repeating the cycle, or are they opening only a few
sessions but working within them all day long. This results in write operations to our logs,
therefore the former case is more intensive then the latter.
That being said, the great majority of setups that we have seen work well with nodes of 4GB RAM
and a dual CPU. Most of these are virtualized environments, so granting more resources is
relatively simple.
1.4
Topologies
Description
Devolutions Server instances can be installed through different topologies. The following are examples of
different topologies serving various purposes.
Single Server Topology
The Devolutions Server and the SQL Server can be installed on the same machine for a small team up
to 20 users. Having Devolutions Server and SQL Server on the same machine could result in certain
performance issues if you attempt to serve more than 20 users.
© 2017 Devolutions inc.
Contents
| 13
Same server installation
Recommended Basic Topology
A recommended basic topology consists of two servers, one for the Devolutions Server and one for the
SQL Database. By doing so, all queries are made by the SQL server and performance is less affected
on the application server.
Basic topology
High Availability Topology
© 2017 Devolutions inc.
14 |
Devolutions Server
Database layer only
For a high availability of the Database, Database Mirroring can be used which replicates data to a
partner server. The fail over partner server will be ready at anytime when the main server becomes
unavailable. This ensures that the Devolutions Server is still accessing the Data Source and is
transparent for Remote Desktop Manager users.
High availability topology
Load Balancing Topology
To ensure maximum performance of the Devolutions Server, it can be deployed as a load balancing
Devolutions Server topology as illustrated in the image below. It can either be a physical or software
load balancing system.
© 2017 Devolutions inc.
Contents
| 15
Load balancing Devolutions Server topology
Devolutions Server Instance Manual Failover
To those customers that do not wish to purchase a load balancer, or are seeking a more simplified
topology to their system, can simply utilize two Devolutions Server Instances on two different web
servers, but direct them to the same SQL Server database. By registering both instances as separate
data sources in the client applications, users can manually toggle between servers in the scenario that
one becomes unresponsive.
Manual failover with two Devolutions Servers
© 2017 Devolutions inc.
16 |
1.5
Devolutions Server
Fault Tolerance
Description
The Devolutions platform follows certain design guidelines to preserve full version history of your data,
be it modifications or deletions. It also has an extensive logging layer to provide full visibility on the
activity carried out while using the system. These design choices impact the choices offered to you
when you wish to provide fault tolerance at the database level.
Impact on technological choices
Because of all of the write operations that occur behind the scenes, it means that you cannot have a
topology other than ACTIVE/PASSIVE. The standby replica must be kept in sync at all times, but left
untouched. There can be only ONE database in use at any one time. You can use both Microsoft
technologies of mirroring or clustering, but what is key is that the replicated content is only accessed
when the master content is unavailable.
Mirroring as a way to share with distant teams
The consequence of keeping replicated data untouched means that replication is NOT the proper
solution to use whenever you have multiple teams and you wish to share a set of master data across
them. For this scenario it is best to use a mix of:
· Synchronizers, particularly the one for RDM data
· PowerShell scripting (to export a specific branch of your tree)
© 2017 Devolutions inc.
Getting Started
Part II
18 |
2
Devolutions Server
Getting Started
Description
This topic is for Devolutions Server - Corporate Edition. If rather you have
purchased Devolutions Server - Small Business Edition, please consult Getting
Started - Small Business Edition
After completing your purchase of the Devolutions Server - Corporate Edition, an email will be sent with
three license serials. Each license allows running a Devolutions Server instance. An instance is in itself
a web server application which acts as a back-end for our client applications. You can think of it as a
specialized database for your data. All instances can be installed on the same physical server, or
spread across many.
Devolutions Server can be installed through different topology types. Please consult Topologies for
additional information.
Domain requirements
These requirements apply only if you intend to use Automatic User Account Creation (see
Authentication) and/or Roles to manage your instance.
Create Active Directory groups to manage your instance. Typical examples are: RDM
Admins, RDM Operators, RDM Users
Add domain users to the Active Directory groups;
Checklist for installing and running Devolutions Server
Software requirements on the server hosting the instance
Microsoft .Net Framework 4.5.2 (It can be installed through the Microsoft Web Platform
Installer).
Microsoft SQL Server (see Database Instance) if you intend to host the solution on a
single server.
Internet Information Services (IIS) 7.0 or better (see https://technet.microsoft.com/enca/library/hh831475.aspx#InstallIIS).
Remote Desktop Manager Enterprise - Windows Edition.
Installation steps
Create a new instance of Devolutions Server (see Create Devolutions Server instance).
Create a Devolutions Server administrator account in the User Management.
Create security groups and roles (see Security Group Management, Role Management
and Security - Best practices).
Add domain users or built-in users (see User Management).
© 2017 Devolutions inc.
Contents
2.1
| 19
Security Checklist
Description
To achieve the highest level of security, you should adhere to the following guidelines.
These recommendations are valid ONLY if the Devolutions Server instance is hosted
on an intranet EXCLUSIVELY. You must involve a person with knowledge of
Internet security to safely host any application on the Internet. You need to protect
the site from Denial of Service attacks using an appliance or a security module that
is external to Devolutions Server.
General
· Use Windows Authentication exclusively.
SQL Server
· Enable only the Windows Authentication Mode
· Create a domain account that will be used to create the database (RDMOwner), as well as
another account that will be used by the web server to connect to the database (RDMRunner).
The latter must have only the minimal set of permissions for perform its tasks.
· Communicate ONLY through an encrypted connection (SSL).
Web Server
· Configure the application pool to use domain credentials. This account will be added to the SQL
Server as a login and be granted only the permissions that are needed (RDMRunner).
· Serve content through SSL (https). See Configure SSL
2.2
Small Business Edition
Description
After the purchase of the Devolutions Server - Small Business Edition, an email is sent with the license
serial. This key allows you to create a new instance of Devolutions Server.
The installation procedure is available at Devolutions Server Installation
Please check your junk/spam mail folder if you do not see the email in your inbox.
Domain requirements
These requirements apply only if you intend to use Automatic User Account Creation (see
Authentication) and/or Roles to manage your instance.
© 2017 Devolutions inc.
20 |
Devolutions Server
Create Active Directory groups to manage your instance. Typical examples are: RDM
Admins, RDM Operators, RDM Users.
Add domain users to the Active Directory groups.
Check list for installing and running Devolutions Server
Software requirements on the server hosting the instance
Microsoft .Net Framework 4.5.2 (It can be installed through the Microsoft Web Platform
Installer).
Microsoft SQL Server database (see Database Instance).
Information Services (IIS) 7.0 or better (see https://technet.microsoft.com/enca/library/hh831475.aspx#InstallIIS).
Remote Desktop Manager Enterprise - Windows Edition
Installation steps
Create a new instance of Devolutions Server (see Create Devolutions Server instance);
Create a Devolutions Server administrator account in the User Management;
Create Security Groups and Roles (see Security Group Management, Role Management
and Security - Best practices)
Add domain users or built-in users (see User Management)
For more detailed information about Devolutions Server, please consult the others sections of this online
help.
© 2017 Devolutions inc.
Installation
Part III
22 |
3
Devolutions Server
Installation
Topology
If you have received your serial licenses keys, please refer to the Getting Started topic.
A Devolutions Server instance is in fact a Web application. This allows for exposing its services on the
Internet or an intranet.
The recommended topology is the use of two servers: a Database server and a Web server. For smaller
installations, a single server can be used, but resources will be shared between the two roles, thereby
minimizing performance.
Remote Desktop Manager Enterprise - Windows Edition must be installed on the
web server in order to manage the Devolutions Server instance.
Please ensure before starting the installation that you have .NET 4.5.2 installed on your
machine.
It's highly recommended to enable SSL Encryption to protect communication with the
instance of the SQL Server. Please follow the instructions on
http://support.microsoft.com/kb/316898 Note that we recommend this be done after the
initial setup is complete.
For full active directory integration, the application pool uses a domain identity, both
servers need to be joined to the domain.
How to install the server
Web Server pre-requisites
Please refer to the appropriate topic depending on the operating system of the web server.
Web role - Install pre 2012R2
Web role - Install 2012R2
After you have installed the pre-requisites, test the IIS installation by navigating to
http://localhost. Do not proceed further if you do not see the IIS welcome screen.
There are issues that must be resolved.
Database server pre-requisites
Please refer to Database Instance
© 2017 Devolutions inc.
Contents
| 23
Create Devolutions Server Instance
Please refer to Create Devolutions Server instance
3.1
Web role - Install 2012R2
Description
Configuration of the Web server in Windows 2012 R2 is a significant departure from previous versions.
These steps are mainly manual at this time. They were performed on a Windows 2012 R2 image that
had been installed from the DVD image with the Windows Updates applied.
Install the Web Server Role
Using the Roles and Features wizard, in the Roles page, add the Web Server (IIS) role and click
Next.
Roles and Features Wizard - Web Server (IIS)
Install ASP.Net
We recommend using the web platform installer to install the .NET framework. .NET 4.5 is
an "in-place" upgrade of the framework and is complex to determine which version is install.
Make sure that ASP.Net 4.5 is installed on your Windows server.
Add Missing Role Services
In the Security branch, enable the following authentication services: Basic, Digest, and Windows.
© 2017 Devolutions inc.
24 |
Devolutions Server
Web Server services
Register ASP.NET in IIS
This is best achieving using the Web Platform Installer. In IIS Manager, when the server node is
selected, you will notice "Get New Web Platform Components". Use this to install the Web Platform
Installer.
© 2017 Devolutions inc.
Contents
| 25
IIS Manager with Command to install WPI
When you launch the WPI, highlight the Products category and browse for Asp.net registration, Add it,
and select Install.
Install URL Rewrite module 2
This is best achieving using the Web Platform Installer. Search for URL Rewrite in WPI, add it and
select install.
You can also download it on this web page https://www.iis.net/downloads/microsoft/url-rewrite.
Allow for Configuration Personalization by Web Applications.
© 2017 Devolutions inc.
26 |
Devolutions Server
New to this IIS release, certain configuration settings are locked down at the root of the web site. Since
Devolutions Server requires specific directives, we need to allow for web applications to adapt the
configuration at their level.
This is easiest when using the APPCMD executable. Open an elevated command prompt (Run As
Administrator). Set the working folder to %windir%\system32\inetsrv\ and run the following two
commands.
appcmd.exe unlock config -section:system.webServer/handlers
appcmd.exe unlock config -section:system.webServer/modules
3.2
Web role - Install pre 2012R2
Description
This section illustrates the first version instructions applicable to a server running Windows 2008 up to
2012 (R1)
We recommend using the web platform installer to install the .NET framework. .NET 4.5 is
an "in-place" upgrade of the framework, and can be rather complex to determine which
version is installed.
Web Server Pre-requisites
Make sure "Internet Information Services" is installed with all the ASP.NET requirements.
© 2017 Devolutions inc.
Contents
| 27
Windows features
3.3
Database Instance
Description
Install SQL Server Express or Standard. Download SQL Server 2016 Express from Microsoft's site.
If full integration with Active Directory is required, you can decide to activate Windows Authentication
solely. Please refer to the MSDN online help for full details.
Under Windows authentication, you must set the Application Pool identity to an account from the
domain. We recommend creating a dedicated account for this purpose. Please refer to Configure
Devolutions Server to use integrated security for instructions that need to be performed AFTER creating
the Devolutions Server instance.
Devolutions Server has no requirements that would dictate which communication protocol is used, as
well as many of the options offered to you by the SQL Server instance. As long as the client workstation
can connect to the SQL Server instance, Devolutions Server will run effectively. Please refer to the
Microsoft Documentation in order to allow connectivity to the instance.
© 2017 Devolutions inc.
28 |
3.4
Devolutions Server
Create Devolutions Server instance
Description
If you have recently received your serial licenses keys, please refer to the Getting
Started topic.
The Devolutions Server product can host multiple instances that will each reside in their own Web
Application within IIS. The following steps are carried out using the Remote Desktop Manager Enterprise
- Windows Edition.
Procedure
1. Install Remote Desktop Manager Enterprise - Windows Edition on the web server. It is available
from the Download page
2. Execute Remote Desktop Manager Enterprise - Windows Edition with elevated privileges (run as
administrator). This is performed by right clicking on the application, and selecting Run as
administrator.
Run Remote Desktop Manager Enterprise Windows Edition with elevated privileges
3. Open the console by selecting Tools > Devolutions Server Console.
Tools ribbon
© 2017 Devolutions inc.
Contents
| 29
All operations performed through the console are done with the credentials used to
launch Remote Desktop Manager. If you must use other credentials, you will need to
launch another window session. The RunAs command does not offer the option of
starting a process with elevated privileges.
4. Deploy a new server instance.
Devolutions Server Console
5. The first dialog shows if the IIS Server has all the necessary prerequisites installed, and is ready to
run Devolutions Server. If any error appears with the red X, please resolve this issue before
proceeding.
© 2017 Devolutions inc.
30 |
Devolutions Server
IIS Prerequesites
6. Configure the instance by personalizing the name and description to your liking. Enter the serial
license key that was sent by email, or you may Request a trial
© 2017 Devolutions inc.
Contents
| 31
Devolutions Server Registration dialog
7. Select a zip file or use the automatic download function. Choose a destination folder, and an IIS
virtual directory name. The process to run Web sites has been granted the proper permissions
under c:\inetpub\wwwroot. We recommend you create a new folder beneath it, and create the
Devolutions Server instance under that folder.
© 2017 Devolutions inc.
32 |
Devolutions Server
Source or Destination
Create and select folder
© 2017 Devolutions inc.
Contents
| 33
8. Enter the Server and Database settings, and create the database with the Create Database button.
The user account that you are using to create the database must has sysadmin privileges in the SQL
Server instance. Consult the Database topic for more information. If you wish to use Integrated
Security option to connect to the database, it is important to change the Application Pool Identity in
the IIS Manager and set the proper permission of the service account on the SQL database. Please
consult How to Configure Devolutions Server to use integrated security.
Database dialog
9. You must choose the authentication options. For the initial setup, we recommend enabling
Authenticate with Devolutions Server custom user. This guarantees connectivity for the first steps,
that can be later disabled. If you are connected to a domain, refer to the Authentication server
settings for further information.
© 2017 Devolutions inc.
34 |
Devolutions Server
Authentication Settings
10. Make sure the Internet Information Services (IIS) is installed in order to proceed with the installation
of Devolutions Server.
© 2017 Devolutions inc.
Contents
| 35
IIS Settings
11. Ensure the ASP.NET State service has begun or set to automatically start. The State Service is
required to maintain the web session information between each call. If you select "Start ASP.NET
State Service and receive a response of "Service is not installed", this means that ASP.NET has not
been installed correctly.
© 2017 Devolutions inc.
36 |
Devolutions Server
ASP.Net State Service configuration
12. Configure the email settings. You can decide to disable this feature by using the check box.
© 2017 Devolutions inc.
Contents
SMTP Configuration page
13. You can enable the Devolutions Proxy here.
© 2017 Devolutions inc.
| 37
38 |
Devolutions Server
14. Once all the steps are completed, click Install.
© 2017 Devolutions inc.
Contents
| 39
Installation summary report
15. Once the installation is complete, a window will open to confirm that the deployment of the server has
been performed.
© 2017 Devolutions inc.
40 |
Devolutions Server
Installation completed
16. Create at least one administrator user account.
You must create an administrator account if you've enabled the Devolutions Server
Authentication model. In other cases, the account name must match with the chosen
authentication model. If you are unsure of the result, also enable Devolutions Server
authentication, create an administrator account and grant the Administration privilege to
the account. Please refer to User Management for further information about creating
user accounts.
After the successful authentication with the other model, the Devolutions Server user
account will have been created and you will be able to see how to format your account
names. You can then disable the Devolutions Server authentication model. Please see
Automatic User Account Creation section in the topic Authentication.
17. You can test the server installation by opening the URL (e.g.: http://localhost/DVLS) or by clicking on
the globe icon in the Devolutions Server Console.
© 2017 Devolutions inc.
Contents
| 41
Devolutions Server Console
18. You can also test the connection from the client by creating a data source with the Register button
from the Devolutions Server Console. Please refer to How to Configure Client Data Source for more
information.
© 2017 Devolutions inc.
Upgrading Devolutions Server
Part IV
44 |
4
Devolutions Server
Upgrading Devolutions Server
Upgrade
It is highly recommended as a best practice to first deploy the new version of Devolutions Server to a
staging instance and verify its stability before deploying it to your whole organization. If you do not have
a staging instance we then recommend a limited roll-out to ensure the work flow is supported to your
satisfaction prior to impacting your whole team.
Some new releases will have additional steps, please consult these topics as appropriate. Consult all
versions sequentially from the version you are starting from.
·
·
·
·
Upgrading to 3.0
Upgrading to 3.2
Upgrading to 4.0
Upgrading to 4.5
These steps are intended to be achieved on a single server or a basic topology. If
your environment differs from these topologies, please contact us and we will guide
you on how to upgrade Devolutions Server.
Workflow
· Ensure that the instance users have the offline mode enabled and that they all perform a full
refresh of the cache (CTRL+F5)
· Have your team switch to the offline mode, allowing them to work while the system is down
· Perform a full backup of the database, take precautions against that backup file being deleted
by a maintenance plan.
· Archive the content of the folder containing the Devolutions Server instance (zip)
· Update the Maximal version of Remote Desktop Manager in Administration - Data Source
Settings - Version Management - Maximal version, if this option was set before the upgrade.
· Install the desired version of Remote Desktop Manager Enterprise - Windows Edition
· Run with elevated privileges in order to access the Devolutions Server Console
· Choose the Devolutions Server instance in the console, then press the upgrade button and
follow the procedure below.
· Upon success, have a user upgrade his workstation with the same version of Remote Desktop
Manager and test connectivity with the server instance.
· When you are satisfied, have the rest of the staff upgrade to the same version of Remote
Desktop Manager.
· Update the Minimal version of of Remote Desktop Manager in Administration - Data Source
Settings - Version Management - Minimal version, if this option was set before the upgrade.
Wizard Steps
1. Open the Devolutions Server Console.
2. Run the Server Diagnostic to ensure you have the current prerequisites.
© 2017 Devolutions inc.
Contents
| 45
Devolutions Server console
3. Select the instance that you wish to upgrade.
4. Click the Upgrade server button.
Upgrade source
5. Select upgrade source. You can either use the latest General Availability release that is available
online automatically, or specify the path to a zip file that you have downloaded yourself. Use this
for beta releases or for earlier versions.
Select upgrade source
6. Press Next.
7. Review the summary and press Upgrade if you are satisfied.
© 2017 Devolutions inc.
46 |
Devolutions Server
Upgrade completed successfully
4.1
Upgrading to 3.0
Description
Please contact the support team for an appointment. We will perform the upgrade
with you in a remote session.
4.2
Upgrading to 3.2
Description
Please contact the support team for an appointment. We will perform the upgrade
with you in a remote session.
Errors
After upgrading Devolutions Server to version 3.2.0.0, it is possible that none of the users can
authenticate on the server.
© 2017 Devolutions inc.
Contents
| 47
Error dialog from Data Source login attempt
Error from Web interface login attempt
Cause 1 - Username format is incorrect
It will be impossible to authenticate in Devolutions Server version 3.2 if the user name format used is
only the Username instead one of NETBIOS (Domain\Username) or UPN ([email protected]). A
database script needs to be run in order to prefix the domain name in the user name field. We can send
the script upon request, but we would prefer to perform this task with you in a remote session.
Cause 2 - Account authentication type is not specified
The account authentication type is not specified, follow these steps:
1. On the computer that is hosting the Devolutions Server instance, launch Remote Desktop Manager
with elevated privileges and open the Devolutions Server Console from the Tools menu.
© 2017 Devolutions inc.
48 |
Devolutions Server
Remote Desktop Manager Enterprise - Windows Edition Tools menu
2. Select the Devolutions Server instance and click on the User Management button.
Devolutions Server - Console
3. Edit each user and check if the Authentication type is editable. This means that the authentication
type is not specified and it was guessed by the application. Please DO NOT CHANGE THE
AUTHENTICATION TYPE and click on the OK button to save the Authentication type.
User Management dialog
4. Or you can use the Batch edit button in the User Management dialog to modify two or more users at
the same time. Select all users with the same Authentication type and click on the Batch Edit button.
© 2017 Devolutions inc.
Contents
| 49
5. Check the second Override check box, select the correct Authentication type form the drop down list
and click on the OK button.
© 2017 Devolutions inc.
50 |
Devolutions Server
6. If the Authentication type is currently saved in the database, then it is impossible to modify it to
another authentication type. Be sure to select the correct Authentication type before saving any
modifications.
4.3
Upgrading to 4.0
Description
Please contact the support team for an appointment. We will perform the upgrade
with you in a remote session.
Here is an overview of what to look for when upgrading to version 4.
Dependencies
This version introduces a dependency on the IIS Rewrite Module. Alas that is the name given in the list
of features, but in the Microsoft Web platform installer, its labeled URL Rewrite 2.0.
Simply run the Web platform installer, search for Rewrite, and install URL Rewrite 2.0
Alternatively, you can download directly from https://www.iis.net/downloads/microsoft/url-rewrite and
perform a manual install.
Significant changes
Administration Credentials
© 2017 Devolutions inc.
Contents
| 51
To work around the fact that a growing number of our users have to operate in a locked down AD
structure, we have had to create a feature for you to specify administration credentials. When these are
specified, they will be the account used to query the AD structure instead of the user account that we
are authenticating. The administration credentials must have READ privileges in all of the domains that
you are accessing.
4.4
Upgrading to 4.5
Description
Please contact the support team for an appointment. We will perform the upgrade
with you in a remote session.
Dependencies
Version 4.0 introduces a dependency on the IIS Rewrite Module. Run the Microsoft Web platform
installer, search for Rewrite, and install URL Rewrite 2.0
Significant changes
The encryption between the client applications and the server has been improved significantly. Please
consult Manage Encryption Keys
4.5
Upgrading to 4.6
Description
Please contact the support team for an appointment. We will perform the upgrade
with you in a remote session.
Dependencies
Version 4.0 introduces a dependency on the IIS Rewrite Module. Run the Microsoft Web platform
installer, search for Rewrite, and install URL Rewrite 2.0
Significant changes
The encryption between the client applications and the server has been improved significantly. Please
consult Manage Encryption Keys
© 2017 Devolutions inc.
Management
Part V
54 |
Devolutions Server
5
Managem ent
5.1
Devolutions Server Console
Description
Because Devolutions Server is in fact a web application, the management interface is provided by
Remote Desktop Manager Enterprise - Windows Edition. The management interface is called the
Devolutions Server Console.
Console
1. Because the Devolutions Server Console manages the IIS metabase, Remote Desktop Manager
must be started with elevated privileges when the console needs to be used. Elevated privileges
are granted when you use "Run as Administrator" to launch the application. You can modify
the shortcut to always start it in this manner if you prefer.
2. Select Tools - Devolutions Server Console
Tools ribbon
Devolutions Server Console
Actions
© 2017 Devolutions inc.
Contents
·
·
·
·
·
·
·
·
·
·
·
·
·
·
·
·
5.2
New
Edit
Delete
Upgrade
Refresh
Manage Users
Manage Groups
Manage Roles
Import Users
View Logs
View web client
Explore Content of web site directory
Register the Devolutions Server as a Data Source
Server Diagnostic
Pack data source
Advanced
o Manage Encryption Keys
Authentication
Description
Devolutions Server supports multiple authentication models.
© 2017 Devolutions inc.
| 55
56 |
Devolutions Server
Authentication tab
Settings
Authentication Modes
Option
Description
Authenticate with domain
user
The domain is used to authenticate the user.
Authenticate with
Devolutions Server custom
user
The Devolutions Server is used to authenticate the user. You must
create the initial user through the console.
Authenticate with local
machine user
The application allows a local user to be authenticated on the server.
Authenticate with database
user
The database is used to authenticate the user.
Windows Authentication
© 2017 Devolutions inc.
Contents
Enable Windows
Authentication
| 57
The application will use the current Windows authenticated user to
authenticate to the Devolutions Server instance.
Automatic User Account Creation
When using authentication models other then Active Directory, obviously a user account needs to be
created beforehand in order to grant access to the system.
When you are using Active Directory authentication, two choices are offered to you:
1. You can choose to create the user account manually, just as with the other authentication
models; or
2. Enable Automatic Account Creation, and let Devolutions Server create user accounts as
soon as they are authenticated by the domain you've linked the instance to.
After the account is created, rights and permissions are assigned either manually to the user account,
or through membership in AD groups for which you have created a role mapping.
User accounts created by the server have no rights other then logging on the system.
They will be able to see and edit the objects that have no security defined. You must
ensure that all sessions are protected, typically this is achieved by ensuring that all root
level folders have a security group assigned to them.
Depending on the authentication mode used, the user name may be prefixed by the domain name, and
the exact naming convention is controlled by the domain. For instance, for a WINDJAMMER domain
that is registered as windjammer.loc, we have no way of knowing beforehand what form will be
reported by the AD services. It is recommended to always enable both Devolutions Server
authentication initially and create an Administrator account for the initial phase of implementation.
5.3
Security
Description
The Security section of the Devolutions Server Console allows you to manage your instance. These
management features are exactly the same as the one offered under the Administration tab of the
various Desktop Clients, when they are connected to that instance through a Data source.
Since the latter is the one you will spend most of your time using, whenever a new instance is created,
we recommend creating an administrative user, then register the instance as a data source in your
Desktop Client of choice. This will bring you in a more familiar territory and will help you get around
more quickly.
If you are indeed using full AD integration, whereas the assignment of permissions comes mostly from
AD Group membership, then the roles are the mechanism that make this work.
The sections below are to cover the basic management features if you cannot use a desktop client.
· Security Group Management
· User Management
· Role Management
© 2017 Devolutions inc.
58 |
5.3.1
Devolutions Server
Security Group Management
Description
Security Groups are used to assign a security scheme to all entries, but we recommend you set them
only on folders which will result in the child entries to inherit the security group. There is no direct
relationship between Active Directory and Security Groups. By default, every session is created
without a security group, and is visible to all connected users. You can grant permissions against a
group to a user account or to a role.
All sessions without security groups are considered public.
The Security Group security system will be deprecated in a future version of Remote
Desktop Manager. We recommend to use the new Role Based Security System.
Managing Security Groups
Security groups are managed from the Security Groups button of the Devolutions Server Console or
from Administration - Security Groups.
Manage Security Groups from Devolutions Server Console
Manage Security Groups from Administration ribbon
Security groups have no significant properties of their own, they carry a name and a description. They
are simply a linking mechanism between an entry and a security matrix (from the users or roles
permissions). A Security group can be interpreted as a container of sessions.
© 2017 Devolutions inc.
Contents
| 59
Security Group Management dialog
For more information, please consult How to Configure Security Groups and Roles with AD Integration.
5.3.2
User Management
Description
With the Devolutions Server data source, you can create users and grant them permissions. You must
be administrator of the database to create users and assign rights. The users management is available
from the menu Users - Add User or from the Devolutions Server Console when executed locally on the
server.
Devolutions Server Console
Adding a User
If you wish, you can create a user linked to a domain account or a built-in user. If the option Auto
create domain users in database has been set in the Authentication tab of the Devolutions Server
settings, domain users are created automatically the first time they log-on. They don't have any rights
except what is public.
© 2017 Devolutions inc.
60 |
Devolutions Server
User Management dialog
Linking a Security Group to a User
You can manage the rights and groups in the Permissions tab. A user with administrator rights has
access to all of the configured sessions from all groups.
© 2017 Devolutions inc.
Contents
| 61
User Permission tab
Linking a Role to a User
Roles are assigned when the user is authenticated from the Domain. For more information, please
consult How to Configure Security Groups and Roles with AD Integration.
5.3.3
Role Management
Description
Active Directory groups must be created before creating Roles.
Role management is only available when the Domain authentication is enabled. This allows the server to
link an Active Directory (AD) group to a role in Devolutions Server. All the role settings are applied to the
users that are member of the AD group.
Devolutions Server Console
© 2017 Devolutions inc.
62 |
Devolutions Server
Roles can be edited from the Devolutions Server Console locally on the server or from a remote data
source by using the menu Roles.
Role Management dialog
For more information, please consult How to Configure Security Groups and Roles with AD Integration.
5.3.4
LDAP over SSL
The LDAP over SSL (LDAPS) is a method to secure LDAP communications.
By default, LDAP communications between client and server are not encrypted. In some organizations,
this could lead to a security breach.
To securize this protocole, the LDAP over SSL must be set on the server and for the client
authentication.
Follow this link for further information
http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx
5.4
Advanced
Description
The Advanced menu offers advanced tools available with Devolutions Server.
© 2017 Devolutions inc.
Contents
| 63
Advanced menu
Actions
· Manage Encryption Keys
5.4.1
Manage Encryption Keys
Description
From this dialog, it is possible to manage the different encryption keys used by Devolutions Server.
Manage Encryption Keys dialog
Settings
Option
Description
Operation
· Export
· Import
· Regenerate
Login Key
The encrypted key used by Devolutions Server for logins.
Token Storage Key
The encrypted key used by Devolutions Server for the token.
Password
The password required to export the encryption keys into a file or import
them from a file.
© 2017 Devolutions inc.
64 |
Devolutions Server
5.5
Server Settings
5.5.1
General
Description
General tab
Settings
General
Option
Description
Name
Enter the name for your server, it will be displayed in the Content area.
Description
Enter a short description or additional information.
Registration
Option
Description
© 2017 Devolutions inc.
Contents
5.5.2
| 65
Serial
Insert your serial registration number.
Request trial
This will redirect you to our Devolutions Server page to request a free 30
days trial.
Database
Overview
Database tab
Settings
Database
Note that the User/Password or Integrated Security settings affect how the Devolutions Server Console
communicates with the SQL database. These options do not have any impact on how users will
authenticate on the Devolutions Server instance.
Option
© 2017 Devolutions inc.
Description
66 |
5.5.3
Devolutions Server
Server
Name of the server where the database will be stored.
User
Enter the username to access the database.
Integrated security
Specify to use Windows Integrated Authentication for authenticating
to the database. In order for integrated security to be used to
connect to the database, you must set a domain account as the
Application Pool identity in the IIS Manager.
Password
Enter the password to access the database.
Test Server
Test the connection with the server to validate if the proper
information has been provided.
Database
Name of the database on the server for the utilization of Remote
Desktop Manager.
Create Database
If the database doesn’t already exist you can create one directly
from here. In order to use integrated security correctly, the
database must be created with db_owner rights.
Test Database
Test the connection with the database to validate if the proper
information has been provided.
Update Database
Update the database on the server, if required to use Remote
Desktop Manager.
Use SQL Server encrypted
connection
Use SSL to encrypt communication with the database.
Trust server certificate
Always trust the server certificate.
Caching mode
The caching mode will determine how the instance will re-load
entries when changes are detected. On large data sources caching
is a must and will increase performance significantly.
Failover partner
The name of the failover partner server if database mirroring is
configured. This is used only for the initial connection as the
principal server will return a name which will replace the configured
value when different.
Email Schema to Support
Directly sends your schema to the Devolutions Support team.
View database version
View what is your current database version.
Authentication
Overview
Select the type of authentication method used by your users to connect to the Devolutions Server. As
best practice we would strongly recommend the use of Domain Authentication method as it can be
integrated with Active Directory Group and makes it easier to manage.
© 2017 Devolutions inc.
Contents
| 67
Authentication tab
Settings
Authentication Modes
Option
Description
Authenticate with domain
user
The domain is used to authenticate the user.
Authenticate with
Devolutions Server custom
user
The Devolutions Server is used to authenticate the user. You must
create the initial user through the console.
Authenticate with local
machine user
The application allows a local user to be authenticated on the server.
Authenticate with database
user
The database is used to authenticate the user.
Windows Authentication
© 2017 Devolutions inc.
68 |
Devolutions Server
Enable Windows
Authentication
5.5.4
The application will use the current Windows authenticated user to
authenticate to the Devolutions Server instance.
Domain
Description
The domain is used to authenticate the user. This is the most secure, flexible and easiest to manage. No
need to sync users between the domain and Devolutions Server. On first use of the Devolutions Server
data source, the user will be created and be given access rights according to their role in the
organization as defined on the domain. You simply need to grant appropriate permissions to your roles
in Devolutions Server, upon authentication we will validate the AD groups to which the user belongs, and
for any that have a corresponding role we will grant the permissions to the user.
Domain tab
Settings
Domain Authentication
Option
Description
© 2017 Devolutions inc.
Contents
| 69
Domain
Specify the remote computer domain name.
Administration credentials
Add the credentials of a domain administrator account to access the
Active Directory forest. This is needed when the server hosting the
instance is not located on the domain.
Allow logins using email
address
Allow users to use their email address to connect to the Devolutions
Server instance. The email address field must be filled in the User
Management.
Use nested AD group
Use the Active Directory group configured in the parent AD Group.
LDAPS
Option
Description
Enable LDAPS
Enable the LDAP over SSL communication.
Default
LDAPS default communication port.
Port
Set a specific port value.
Automatic User Creation
Option
Description
Auto create domain users in Automatically create the domain user in the the database.
database
Only from this AD group
Will create automatically the user only if he is a member of this AD
group.
Username Format
Select the username format that will be created in the User
Management.
· UPN : The user will be created using the UPN format ex:
[email protected]
· NetBios : The user will be created using the NetBios format ex:
WINDJAMMER\bill.
· Username : The user will be created using the SAM account
name.
Multi Domain
The Multi Domain feature requires the Devolutions Server Platinum Edition license.
Currently, it is only working with trusted domains that belong to the same AD Forest.
Option
Description
Multi domain
Enable the Multi domain feature
Trusted domains
Add your trusted domains.
© 2017 Devolutions inc.
70 |
5.5.5
Devolutions Server
2-Factor Authentication
Overview
This feature is only available when using a Devolutions Server Corporate license
The Two-factor authentication (2FA) provides unambiguous identification of users by means of the
combination of two different components. These components may be something that the user knows or
something that the user possess.
The use of two-factor authentication is used to prove one's identity is based on the premise that an
unauthorized actor is unlikely to be able to supply both factors required for access. If, in an
authentication attempt, at least one of the components is missing or supplied incorrectly, the user's
identity is not established with sufficient certainty and then access to the asset being protected by twofactor authentication will remain blocked.
Two-Factor Authentication tab
© 2017 Devolutions inc.
Contents
| 71
2FA supported by Devolutions Server
·
·
·
·
·
·
·
·
·
·
Google Authenticator
Yubikey
SafeNet
Duo
AuthAnvil
Email
SMS
Vasco
Azure MFA
Radius
For more information on how to configure the 2FA on the Devolutions Server, please follow this link.
5.5.5.1
Google Authenticator
Description
Devolutions Server supports Google Authenticator to provide an additional security layer when opening
a selected data source.
Settings
Before you start the configuration, make sure you have installed the Google
Authenticator application on your Android device, Blackberry or on your Apple product
(iPhone, iPad or iPod Touch).
See Google Authenticator for more information on the settings.
5.5.5.2
Yubikey
Description
Devolutions Server allows you to configure Yubikey to provide an additional security layer when opening
a selected data source.
Settings
Before you start the configuration, make sure you have a Yubikey in your possession.
See Yubikey for more information on the settings.
5.5.5.3
SafeNet
Description
The 2FA Email setting is only available for the Devolutions Server. It allows to configure SafeNet to
provide an additional security layer when opening a selected data source.
© 2017 Devolutions inc.
72 |
Devolutions Server
Settings
Before you start the configuration, make sure you have a SafeNet device (eToken, iKey
or Smart Card) in your possession.
Please consult our Online Help on SafeNet settings.
Please consult the SafeNet website for more information about it.
5.5.5.4
Duo
Description
Devolutions Server allows you to configure Duo to provide an additional security layer when opening a
data source.
Settings
Before you start the configuration, make sure you have created and configured your
Duo account. For more information about Duo authentication, please consult Duo web
page.
See Duo for more information on the settings.
5.5.5.5
AuthAnvil
Description
Devolutions Server allows you to use AuthAnvil Authenticator to provide an additional security layer
when opening a selected data source.
Settings
Before you start the configuration in Devolutions Server, make sure you have created
and configured your AuthAnvil account. For more information on AuthAnvil installation
please consult http://www.scorpionsoft.com/tour/intro.
See AuthAnvil for more information on the settings.
5.5.5.6
Email
Overview
The 2FA Email setting is only available for the Devolutions Server. It will request the user's email account
as its second component to access the data source.
If you have selected the option Required in the 2FA usage option every user will automatically have a
2FA request when logging in, it will not be necessary to edit each and every one of your users as long
as they have an email address set in their User setting.
If you select the option Optional per User in the 2FA usage option you will have to proceed to a set up
for each user you wish to use the 2FA.
© 2017 Devolutions inc.
Contents
| 73
For this option to be valid you will have to configure the Server and the User.
See 2FA Email for more information on the settings.
5.5.5.7
SMS
Overview
The 2FA SMS setting is only available for the Devolutions Server. It will request the user to enter a code
he has received on his mobile phone as its second component to access the data source.
If you have selected the option Required in the 2FA usage option every user will automatically have a
2FA request when logging in, it will not be necessary to edit each and every one of your users as long
as they have an mobile phone number set in their User setting.
If you select the option Optional per User in the 2FA usage option you will have to proceed to a set up
for each user you wish to use the 2FA.
For this option to be valid you will have to configure the Server and the User.
There are two possible configurations with 2FA SMS.
· 2FA SMS Free
· 2FA SMS Twilio
5.5.5.8
Azure MFA
Overview
The 2FA Azure MFA setting is only available for the Devolutions Server. It will request the user to reply
a code he has received on his mobile phone or by answering a phone call from Azure.
The Azure Multi-Factor Authentication (included in Azure AD Premium and
Enterprise Mobility Suite) is required in order to be able to download the SDK file
needed for the Devolutions Server configuration.
For more information Azure Multi-Factor Authentication, please consult this web site
https://azure.microsoft.com/en-us/documentation/articles/multi-factor-authentication/.
For more information on how to configure the Azure MFA, please consult the Azure MFA settings topic.
5.5.5.9
Radius
Description
Devolutions Server supports Radius authentication to provide an additional security layer when opening
a selected data source.
Settings
© 2017 Devolutions inc.
74 |
Devolutions Server
Before you start the configuration, make sure you have a properly configured
Radius server available in your organization.
5.5.5.10 Vasco
Description
Devolutions Server supports Vasco authentication to provide an additional security layer when opening
a selected data source.Vasco’s two-factor authentication ensures only authenticated users gain access.
Before you start the configuration process in Devolutions Server, make sure you have
created and configured your Vasco account. For more information on Vasco
installation please consult https://www.vasco.com/two-factor-authentication.html.
See Vasco for more information on the settings.
5.5.6
Security
Overview
The Security tab is used for added security by controlling access to the Devolutions Server with IPs
addresses.
© 2017 Devolutions inc.
Contents
| 75
Security tab
Settings
IP
Option
Description
Allowed Single IPs
If you wish to restrain the access to the Devolutions Server to only
certain IPs address enter those here. If nothing is entered in this
field all IPs address will be allowed to connect to the Devolutions
Server.
Allowed Masked IPs
If you wish to restrain the access to only certain Masked IPs
(dividing the host part of an IP address into a subnet and host
address) on the Devolutions Server, enter those Masked IP address
here.
Denied Single IPs
If you wish to deny access to the server from certain IPs address
enter those in this field.
Denied Masked IPs
If you wish to deny access to the server from certain Masked IPs
address (dividing the host part of an IP address into a subnet and
© 2017 Devolutions inc.
76 |
Devolutions Server
host address) enter those in this field.
Auto Lock
5.5.7
Option
Description
Enabled auto lock
Automatically locks down the access to the Server after a
predetermine number of failed attempt.
Attempt Count
Enter the number of failed attempts before locking down the Server.
GeoIP Security
Overview
The GeoIP refers to the method of locating a computer terminal's geographic location by identifying that
terminal's IP address.
GeoIP Security tab
Settings
© 2017 Devolutions inc.
Contents
5.5.8
| 77
Option
Description
GeoIP Mode
Choose your method of GeoIP between:
None: Will not be using GeoIP security
Free GeoIP: Use the GeoLite database to look up the city, AS
number and other information for an IP address and then select the
countries you wish to grant access to your Devolutions Server.
MaxMind: Use the MaxMind's GeoIP database to look up the city,
AS number and other information for an IP address. Connect to
your account by entering your User ID and License Key in the
appropriate field and then select the countries you wish to grant
access to your Devolutions Server.
IIS
Overview
The IIS settings are part of your prerequisite at the installation level. Most of what is found in this tab is
automatically filled in by the information given while setting up your Devolutions Server, the IIS Settings
tab is used more as informative than configuring.
© 2017 Devolutions inc.
78 |
Devolutions Server
IIS tab
Settings
5.5.9
Option
Description
Force https
Force the use of the https instead of the http.
Encrypt web.config file
Activate this option if you wish to add an extra layer of security to
your configuration by encrypting your file.
Email
Overview
Emails are sent by our Notification engine and by some of our 2 factor authentication providers.
© 2017 Devolutions inc.
Contents
| 79
Email tab
Settings
General
Option
Description
Email enabled
It is mandatory to enable this option to send notifications or for some 2FA
providers.
SMTP Configuration
Option
Description
Host
Enter the host for the SMTP server.
Port
Set the SMTP server port.
Enable SSL
Specifies whether to use Secure Sockets Layer (SSL) to encrypt the
connection. Please see Note 1 for important information.
© 2017 Devolutions inc.
80 |
Devolutions Server
Username
Enter your username to connect to your SMTP server.
Password
Enter your password to connect to your SMTP server.
Send email as
Enter the display name.
Email administrator
Logs and errors will be sent to the email address entered in this field.
Test Email
Test your email settings.
Note 1
Devolutions Server only supports the SMTP Service Extension for Secure SMTP over Transport
Layer Security as defined in RFC 3207. In this mode, the SMTP session begins on an unencrypted
channel, then a STARTTLS command is issued by the client to the server to switch to secure
communication using SSL.
An alternate connection method is where an SSL session is established up front before any protocol
commands are sent. This connection method is sometimes called SMTP/SSL, SMTP over SSL, or
SMTPS and by default uses port 465. This alternate connection method using SSL is not currently
supported.
5.5.10 User Interface
Overview
The User Interface tab enables the user to customize the interface according to the preference of the
user. The three facets of the User Interface tab consists of Logo, Grid page size, and Date and time
format. The settings table below lists all possible options that can be tailored to the user's specifications.
Settings
© 2017 Devolutions inc.
Contents
User Interface tab
Option
Description
Logo
- None
- URL
- File
Grid page size
- 10
- 20
- 50
Date and time format - Default
- US
- Custom
Date
Date/Time Format
Year
- yyyy = 2016
- yy = 16
Month
- MMMM = September
- MMM = Sep
© 2017 Devolutions inc.
| 81
82 |
Devolutions Server
- MM = 09
-M=9
Day
-
dddd = Sunday
ddd = Sun
dd = 09
d = 9 (If applicable, 25 can not be 5).
Time
Date/Time Format
Hours
-
Minutes
- mm = 05
- m = 5 (If applicable, 25 can not be 5).
Seconds
- ss = 08
- s = 8 (If applicable, 25 can not be 5).
TimeZone
- tt = PM or AM
- zzz or zz or z = EDT
h=1
hh = 01
H = 1 (If applicable, 11 can not be 1).
HH = 13
5.5.11 Logging
Overview
Devolutions Server already manages log, however if using a Syslog Server you might also wish to
connect your Devolutions Server logs to it to centralize all your logs in one place and on a web
interface.
© 2017 Devolutions inc.
Contents
Logging tab
Settings
General
Option
Description
Log debug
information
Enable the Devolutions Server instance logs.
Syslog Server
Option
Description
Log to Syslog server
Enable the Syslog Server.
Host
Enter your Syslog Server host to connect.
Port
Enter your Syslog Server port to connect.
Protocol
Select your preferred Protocol mode between:
© 2017 Devolutions inc.
| 83
84 |
Devolutions Server
· TCP
· UDP
5.5.12 Features
Description
These are the different features available in Devolutions Server.
Features tab
Settings
Features
Option
Description
Allow edit entries from
the web
Allow to edit the properties of any entry type on the web interface.
© 2017 Devolutions inc.
Contents
Allow browser
extensions
Allow to save credentials in the Devolutions Server instance with
Devolutions Web Login.
Devolutions Proxy
Enable the Devolutions Proxy feature.
| 85
Allow Web API help
page
5.5.13 Scheduler
Overview
The Scheduler is used to enable automated tasks in Devolutions Server. Some further configurations
are needed to be done before enabling these options. Consult How to Configure Scheduler in
Devolutions Server for more information.
Settings
Scheduler tab
Notification
© 2017 Devolutions inc.
86 |
Devolutions Server
The Notifications settings is used to send email notifications to specific users. These notifications
include any activities on sessions, security groups, roles, users, etc.
The Email settings must be configured in the Devolutions Server instance in order
for notifications to be sent.
Categorie
Description
Allow notification
subscription
Enable the notifications of the Devolutions Server instance.
Time Zone
Time zone used to display the time stamp in the notification email.
Backup
Categorie
Description
Enable backup
Enable the backup of the Devolutions Server instance.
5.5.14 Advanced
Description
The Advanced tab permits to modify advanced settings in the Devolutions Server configuration.
© 2017 Devolutions inc.
Contents
| 87
Advanced tab
Settings
Features
Categorie
Description
Token Valid Time (minutes)
This the duration time of the token. At the expiration of the token, the
user must again authenticate himself on the Devolutions Server
instance.
© 2017 Devolutions inc.
Web Interface
Part VI
90 |
6
Devolutions Server
Web Interface
Description
Because of documented vulnerabilities of web browsers, particularly their extensions, we do not perform
any password decryption in a web browser. The web interface is feature-limited purposefully and you
must use the client to perform any modification to entries.
Login page
Open a browser to the URL that you have chosen for your Devolutions Server instance. If you have
followed the default settings for a first installation, it should normally be available at http://localhost/dvls.
Login page
Configuration
© 2017 Devolutions inc.
Contents
| 91
Configuration
6.1
Home
Description
The Home is the place where you can view and edit the information about your user account.
Home page
Edit your Account
The Edit your Account button allows to change your account information like First name, Last name,
Address, Phone number, etc.
© 2017 Devolutions inc.
92 |
Devolutions Server
Edit your Account dialog
Change Gravatar
The Change Gravatar button allows to set your email address to point to your Gravatar image.
© 2017 Devolutions inc.
Contents
| 93
Change Gravatar dialog
Change Password
The Change Password button allows to change your password. This tool only works with Devolutions
Custom accounts. This will not work with other account types like domain and database. You can use
the Generate Password tool that will automatically generate a password and fill in the New password
field. You will have to copy and paste it in the Confirm Password field.
Change Password dialog
The Password Generator tool will open the dialog to help you choose the rules to generate a list of
passwords.
© 2017 Devolutions inc.
94 |
Devolutions Server
Password Generator dialog
Links
The Visit our Forum and Online Help buttons will open the forum or the online help in another browser
tab.
Downloads
The Downloads tab will provide all links to download Remote Desktop Manager and Password Vault
Manager for each supported platforms. It also provides the download links of the Devolutions Web Login
add-on for every supported browsers.
© 2017 Devolutions inc.
Contents
6.2
Connections
Description
© 2017 Devolutions inc.
| 95
96 |
Devolutions Server
Connections page
6.3
Administration
Description
Modify Users
Users management
Modify Security Groups
© 2017 Devolutions inc.
Contents
Security Groups management
Modify Roles
Role management
Users Locked
© 2017 Devolutions inc.
| 97
98 |
Devolutions Server
Users Locked
Users 2FA Status
Users 2FA Status
6.4
Reports
Description
Reports
Connected users
© 2017 Devolutions inc.
Contents
Reports - Connected User List
Login attempts
Reports - Login Attempt
Login history
Reports - Login History
© 2017 Devolutions inc.
| 99
100 |
6.5
Devolutions Server
Tools
Description
TBD
© 2017 Devolutions inc.
How-To
Part VII
102 |
Devolutions Server
7
How-To
7.1
How to Configure Client Data Source
Create Devolutions Server data source
1. Select File - Data Sources.
File - Data Sources
2. New Data Source.
Data Source configuration dialog
3. Select the Devolutions Server data source.
© 2017 Devolutions inc.
Contents
| 103
Add New Data Source dialog
4. Specify settings.
If you specify %USERDOMAIN%\%USERNAME% in the user text area, the value of the
corresponding environment variables will be used.
© 2017 Devolutions inc.
104 |
Devolutions Server
Data Source configuration
Notes
If the server is configured to only allow SSL, ensure you specify the protocol by using https:// as the
protocol.
7.2
How to Configure Devolutions Server to use integrated security
Description
In order for integrated security to be used to connect to the database, you must set the Application pool
to use a domain account to run under.
Steps
To make these instructions simpler, we will name the domain account RDMRunner, please adapt to
your requirements.
Create the RDMRunner account in the domain;
Grant access to the SQL Server instance to RDMRunner;
Grant access to the database to RDMRunner;
In IIS Manager, expand the Application pool section and locate the application pool used by your
Devolutions Server site. By default it has the same name as the name of the web application;
· In the advanced settings, edit the Identity setting to set the RDMRunner account.
·
·
·
·
© 2017 Devolutions inc.
Contents
| 105
Application pool Identity
7.2.1
How to Grant access to SQL Server instance
Description
In order to use Integrated Security you will need to grant access and specific permissions to the
domain account used to connect to the SQL Server Instance.
Steps
To make these instructions simpler, we will name the domain account RDMRunner, please adapt to
your requirements.
1. Using Microsoft SQL Server Management Studio, right-click on the Security branch and select New Login.
© 2017 Devolutions inc.
106 |
Devolutions Server
MSSQL
2. In the dialog, click on Search.
© 2017 Devolutions inc.
Contents
Login - New
3. Change the location to your domain and then select the RDMRunner user account.
Select User or Group
© 2017 Devolutions inc.
| 107
108 |
Devolutions Server
4. In the User Mapping Section, find your database and check the Map checkbox.
User Mapping
5. In the Database role membership, grant the db_datareader role and then click OK to save the login.
© 2017 Devolutions inc.
Contents
| 109
Database role membership
Permissions
The permissions described below allow for ALL management operations to be performed through the
Devolutions Server instance.
Some may desire to harden the system. Hardening the system means to disallow certain operations
from the Devolutions Server instance, which would make using a SQL Server data source, bound to
the same database, necessary for these operations. For instance you could decide to not allow to
create users through the instance, but only through a direct SQL connection. Please contact us to
discuss these scenarios.
Please note that these instructions were valid for version 315 of the database schema.
If you run into issues and the schema is of a higher version please contact us.
To identify the current schema version, run SELECT [DatabaseVersion] FROM
[DatabaseInfo]
At the Database level you will need to grant these permissions:
GRANT
GRANT
GRANT
GRANT
GRANT
© 2017 Devolutions inc.
INSERT,
INSERT,
INSERT,
INSERT,
INSERT,
DELETE,
DELETE,
DELETE,
DELETE,
DELETE,
UPDATE
UPDATE
UPDATE
UPDATE
UPDATE
ON
ON
ON
ON
ON
Attachment TO [DOWNHILL\RDMRunner];
BackupJob TO [DOWNHILL\RDMRunner];
BackupLog TO [DOWNHILL\RDMRunner];
ConnectionHistory TO [DOWNHILL\RDMRunner];
ConnectionLog TO [DOWNHILL\RDMRunner];
110 |
Devolutions Server
GRANT
GRANT
GRANT
GRANT
GRANT
GRANT
GRANT
GRANT
GRANT
GRANT
GRANT
GRANT
GRANT
GRANT
GRANT
GRANT
GRANT
GRANT
GRANT
GRANT
GRANT
7.3
INSERT,
INSERT,
INSERT,
INSERT,
INSERT,
INSERT,
INSERT,
INSERT,
INSERT,
INSERT,
INSERT,
INSERT,
INSERT,
INSERT,
INSERT,
INSERT,
INSERT,
INSERT,
INSERT,
INSERT,
INSERT,
DELETE,
DELETE,
DELETE,
DELETE,
DELETE,
DELETE,
DELETE,
DELETE,
DELETE,
DELETE,
DELETE,
DELETE,
DELETE,
DELETE,
DELETE,
DELETE,
DELETE,
DELETE,
DELETE,
DELETE,
DELETE,
UPDATE
UPDATE
UPDATE
UPDATE
UPDATE
UPDATE
UPDATE
UPDATE
UPDATE
UPDATE
UPDATE
UPDATE
UPDATE
UPDATE
UPDATE
UPDATE
UPDATE
UPDATE
UPDATE
UPDATE
UPDATE
ON
ON
ON
ON
ON
ON
ON
ON
ON
ON
ON
ON
ON
ON
ON
ON
ON
ON
ON
ON
ON
Connections TO [DOWNHILL\RDMRunner];
DatabaseInfo TO [DOWNHILL\RDMRunner];
DataSourceSettingHistory TO [DOWNHILL\RDMRunner];
GroupInfo TO [DOWNHILL\RDMRunner];
GroupInfoHistory TO [DOWNHILL\RDMRunner];
LoginAttempt TO [DOWNHILL\RDMRunner];
LoginHistory TO [DOWNHILL\RDMRunner];
LogMessage TO [DOWNHILL\RDMRunner];
Repository TO [DOWNHILL\RDMRunner];
RepositoryHistory TO [DOWNHILL\RDMRunner];
Subscription TO [DOWNHILL\RDMRunner];
SubscriptionEvent TO [DOWNHILL\RDMRunner];
Todo TO [DOWNHILL\RDMRunner];
TodoUsers TO [DOWNHILL\RDMRunner];
UserAccount TO [DOWNHILL\RDMRunner];
UserGroupInfo TO [DOWNHILL\RDMRunner];
UserInfo TO [DOWNHILL\RDMRunner];
UserInfoHistory TO [DOWNHILL\RDMRunner];
UserProfile TO [DOWNHILL\RDMRunner];
UserRole TO [DOWNHILL\RDMRunner];
UserSecurity TO [DOWNHILL\RDMRunner];
How to Configure SSL
Description
Please perform these steps only after you have configured the Devolutions Server instance and that you
have indeed connected through a client application. Performing these steps right from the start may
add a layer of complexity that may prevent you from succeeding in the initial configuration.
Import Certificate or Create Self-Signed Certificate
1. Select the server node in the tree view and double-click the Server Certificates feature in the list
view:
© 2017 Devolutions inc.
Contents
Server certificates
2. Click Import Certificate... in the Actions pane Or Click Create Self-Signed Certificate... in
the Actions pane.
Follow the wizard
Create a SSL Binding
1. Select the web site in the tree view.
© 2017 Devolutions inc.
| 111
112 |
Devolutions Server
IIS Tree view
2. Click Bindings... in the Actions pane. This brings up the bindings editor that lets you create, edit,
and delete bindings for your Web site. Click Add... to add your new SSL binding to the site.
Add binding
3. Select https in the Type drop-down list. Select the self-signed certificate you created in the previous
section from the SSL Certificate drop-down list and then click OK.
Define https binding
4. Now you have a new SSL binding on your site.
© 2017 Devolutions inc.
Contents
| 113
The new binding
Configure SSL Settings in IIS
1. Select a Devolutions Server application in the tree view.
IIS Tree view
2. Click on SSL Settings
Web site icons
3. Configure SSL settings if you want your site to require SSL, or to interact in a specific way with
client certificates. Click the site node in the tree view to go back to the site's home page. Doubleclick the SSL Settings feature in the middle pane. Select Require SSL and click Apply.
© 2017 Devolutions inc.
114 |
Devolutions Server
SSL Settings
Modify the Devolutions Server configuration
1. Start any text editor (notepad) using right click Run as Administrator
2. Open the file "web.config" found in the Devolutions Server install directory
3. locate this line in the file
<add key="ForceHttps" value="false" />
4. Modify value from false to true
5. Save the file
Configure SSL Settings in the Client applications
1. Edit the Devolutions Server data source
2. Change the server URL to use the https:// protocol
7.4
How to update your registration serial after a renew al
Description
Devolutions Server is licensed as a yearly subscription which must be kept current. With the renewal, a
new license key is provided and needs to be entered in your instance configuration.
Your data is always available even if the subscription is expired. You simply need to
connect directly to that database by using a SQL Server data source.
Settings
Remote Desktop Manager Enterprise - Windows Edition must be started with elevated
privileges in order to use the Devolutions Server Console.
Click on Tools -> Devolutions Server Console menu and edit your Devolutions Server instance.
© 2017 Devolutions inc.
Contents
| 115
Devolutions Server Console
Replace the existing license key by the new one that you have received by email in the General Registration section.
Server Settings General tab
© 2017 Devolutions inc.
116 |
7.5
Devolutions Server
How to Configure Tw o-factor Authentication (2FA)
Steps
This feature is only available when using a Devolutions Server Corporate license
· In the Server Settings, select the Two-Factor tab
Two-Factor tab
General
Option
Description
2FA usage
None: Will not be using the two factor authentication
Optional: Only users with 2FA configured in their profile will be
prompted with a 2FA validation.
Required: Every users will need 2FA to connect to the Devolutions
Server instance.
Send reset email to
Administrator: Sends reset email to all users that have the
Administrator check-box checked. Note that this does NOT include
those that get the privilege through belonging to a role. If using AD
integration exclusively, this is not a recommended value.
© 2017 Devolutions inc.
Contents
| 117
Specific email: Sends reset email to the email address specified in
the Specific email control. Note that the control appears only when
Specific email value is selected.
Specific email
Email address which will receive reset emails.
2FA supported
Each of our client applications will support one or multiple 2FA providers.
Default
Option
Description
Default
The Default option will only be activated when selecting Required in
the 2FA usage option. If choosing more than one 2FA mode, you
will then be able to select the Default 2FA method for your users.
Configure Users
If Optional is set in Two-factor usage, the users for which you require 2FA must be configured.
1. On the Devolutions Server console, click on the Users icon to configure the users that should use the
2FA if the option Optional per User is set.
Devolutions Server Console
2. Select the user and click on the Edit User button.
© 2017 Devolutions inc.
118 |
Devolutions Server
User and Security Management dialog
3. In General - Two factor click on Configure.
© 2017 Devolutions inc.
Contents
User management dialog
4. In the Two factor Configuration window click on Change.
2-Factor Configuration dialog
© 2017 Devolutions inc.
| 119
120 |
Devolutions Server
5. In the drop down menu select the two factor configuration (we have chosen Google Authenticator for
this example) and click on Save.
2-Factor Configuration dialog
6. You can select Configure later by user or configured it immediately with your user.
© 2017 Devolutions inc.
Contents
| 121
Google Authenticator Setup dialog
Email
If Email or SMS Free is chosen as one of the Two Factor Supported providers, the SMTP server must
be configured for the instance, and the user email address or mobile phone number must be provided in
the user properties.
See the Server settings - Email for more information.
© 2017 Devolutions inc.
122 |
Devolutions Server
2FA SMS and 2FA EMail warning message
7.5.1
Email settings
Settings
1. In the Email tab, configure your SMTP Server.
© 2017 Devolutions inc.
Contents
Email settings
2. On the Two-Factor tab, select Email as your 2FA mode.
© 2017 Devolutions inc.
| 123
124 |
Devolutions Server
Two-Factor settings
3. Once the SMTP server is configured click on Save. A window will pop up warning you to configure
your User.
2FA Email warning message
4. In the Devolutions Server Console click on Users to configure the email account for each 2FA users.
© 2017 Devolutions inc.
Contents
| 125
Devolutions Server Console
5. Select the User to Edit and in the General tab enter the user's email address. If you have selected
Required in the 2FA Usage you have completed all the steps as they will have to set up their own
account when logging in for the first time. If you have selected Optional per User click on Configure to
activate the 2FA for those users and continue with the following steps.
User Management dialog
6. Click on Change to choose the 2FA method.
© 2017 Devolutions inc.
126 |
Devolutions Server
2-Factor Configuration dialog
7. Select the Email 2FA mode, if you have selected more than one option when setting up the 2FA all
the selected options will appear in the drop down menu. Once you have selected the 2FA type, click on
Save.
8. The Email setup window will appear, select the option Configure later by user. Every time the User
connects to the data source he will be prompted with the Validation email window, the user can then
click on Send email validation code and an email containing the validation code will be sent. If after a
few minutes you still haven't received the validation code please verify the SMTP settings as if one of the
SMTP settings isn't correctly set up the email will never be sent and there will not be any error message.
When receiving the validation code, enter it in the appropriate field and click on Save. Your user is now
set up and ready to access the Devolutions Server data source.
© 2017 Devolutions inc.
Contents
| 127
Email Setup dialog
7.5.2
SMS settings
Description
There are two possible configurations with 2FA SMS.
· 2FA SMS Free
· 2FA SMS Twilio
7.5.2.1
SMS Free
Description
This 2FA SMS configuration use the free method to send SMS from a computer through an e-mail
address composed by the mobile phone number and the domain of the Cellular carrier (e.g.:
[email protected]). Please take note that not all Cellular carrier provide this type of SMS
sendind method.
Settings
1. In the Email tab, configure your SMTP Server.
© 2017 Devolutions inc.
128 |
Devolutions Server
Email settings
2. In the Two-Factor tab, select SMS as your 2FA mode.
© 2017 Devolutions inc.
Contents
| 129
Server Settings
3. After clicking on the Save button, it will display a message to fill in the mobile number of each user
and to configure the Devolutions Server instance with the Service type set to Web API.
Configuration advice
4. On the Devolutions Server console, click on the Users icon to configure the users that should use the
2FA if the option Optional per User is set.
© 2017 Devolutions inc.
130 |
Devolutions Server
Devolutions Server console
5. Fill in the Mobile phone number in the Information tab of the User management window.
User Management - Information tab
6. The SMS 2FA can be configured directly through the User Management window. Click on Configure
on the General tab.
© 2017 Devolutions inc.
Contents
User management - General tab
7. Click on Change to set the 2FA Type.
2FA Configuration
8. After setting the 2FA Type to SMS, click on Save.
© 2017 Devolutions inc.
| 131
132 |
Devolutions Server
2FA Configuration
9. Check the Configure later by the user check box to let the user authenticate his connection to the
Datasource.
SMS setup
10. On the first connection to the Datasource, choose the Cellular carrier of the mobile phone and click
on Send sms validation code.
© 2017 Devolutions inc.
Contents
| 133
SMS user authentication
11. A message box inform that the SMS code has been sent.
SMS sent
12. Enter, in the proper field, the SMS Validation code and click on the Save button to complete the
authentication.
© 2017 Devolutions inc.
134 |
Devolutions Server
Fill in the Validation code
13. For all of subsequent connection to the Datasource, the SMS Validation code will be sent
automatically and the user will have to fill in the Validation code field and click on the Connect
button. If the Validation code was not received, click on Resend validation code.
Fill in the Validation code
© 2017 Devolutions inc.
Contents
7.5.2.2
| 135
SMS Twilio
Description
The SMS Twilio use the Twilio SMS platform to send SMS to the mobile phone. The configuration needs
a working Twilio SMS account.
Settings
1. Select SMS as your 2FA mode and click on Configure.
Server settings - 2FA configuration
2. Fill in the information for the Twilio account and click the Check button to validate it. A Success
message box appear if all parameters match with the Twilio account settings.
© 2017 Devolutions inc.
136 |
Devolutions Server
Twilio settings
Succes message
3. After clicking on the Save button of the Server settings window, it will display a message to fill in the
mobile number of each user and to configure the Devolutions Server instance with the Service type
set to Web API.
Configuration advice
4. On the Devolutions Server console, click on the Users icon to configure the users that should use the
2FA if the option Optional per User is set.
© 2017 Devolutions inc.
Contents
| 137
Devolutions Server console
5. Fill in the Mobile phone number in the Information tab of the User management window.
User Management - Information tab
6. The SMS 2FA can be configured directly through the User Management window. Click on Configure
on the General tab.
© 2017 Devolutions inc.
138 |
Devolutions Server
User management - General tab
7. Click on Change to set the 2FA Type.
2FA Configuration
8. After setting the 2FA Type to SMS, click on Save.
© 2017 Devolutions inc.
Contents
| 139
2FA Configuration
9. Check the Configure later by the user check box to let the user authenticate his connection to the
Datasource.
10. On connecting to the Datasource, it will ask for the Validation code sent to the mobile phone. Click
the Connect button to connect to the Datasource.
© 2017 Devolutions inc.
140 |
Devolutions Server
SMS Twilio validation code
11.
7.5.3
SafeNet settings
Prerequisite
1. The complete SAS-SDK provided by SafeNet.
2. Hostname provided by SafeNet.
3. The Key file related to the SafeNet Authentication Service Manager account provided by SafeNet.
Settings
1. Install the BlackShield ID .Net Authentication API on the hosting machine of Devolutions Server.
Depending on the hosting server, it can be the x86 or the x64 version.
BlackShield ID .Net Authentication API
2. When this installer ask for the hostname or IP Address of your BlackShield ID Authentication
Server, please fill in the information provided by SafeNet for this hostname and check the Connect
using SSL option.
© 2017 Devolutions inc.
Contents
| 141
BlackShield ID Authentication Server Address
3. Copy the Key file in the BlackShield installation folder of the hosting computer of Devolutions Server.
In this case, it is the C:\Program Files\CRYPTOCard\BlackShield ID\API\KeyFile folder.
Key file folder
4. Connect to the SafeNet Authentication Service Manager.
© 2017 Devolutions inc.
142 |
Devolutions Server
SafeNet Authentication Service Manager
5. Create each user from DVLS in the SafeNet Authentication Service Manager. It is very important
that the user names in DVLS and SafeNet must be identical.
Creating user - SafeNet
© 2017 Devolutions inc.
Contents
| 143
6. Next, click on the Provision button.
User Detail - SafeNet
7. Select the authentication type and click on the Provision button. In this example, we choose the
MobilePASS authentication type.
Select Authentication Type - SafeNet
8. An email is sent to the user and a task have been added to the list of the Provisioning Tasks.
Provisioning Tasks - SafeNet
9. When the email is received by the user, he has to click on the link to start the token enrollment.
© 2017 Devolutions inc.
144 |
Devolutions Server
SafeNet self-enrollment email
10. In this example, if the MobilePASS application is not installed on the device or the computer, please
install it by clicking on the download link. After it is correctly installed, click on the Enroll your
MobilePASS token link.
© 2017 Devolutions inc.
Contents
| 145
SafeNet Self Enrollment
11. Then, accept the token in the MobilePASS application by clicking on the Activate button. Follow the
instructions to activate the SafeNet token.
© 2017 Devolutions inc.
146 |
Devolutions Server
12. On the Devolutions Server console, select and edit the instance. Then go on the Two-Factor tab and
check the SafeNet checkbox and click on the Save button.
© 2017 Devolutions inc.
Contents
| 147
Two-Factor tab
13. On the Devolutions Server console, click on the User Management dialog, edit each user that will use
the SafeNet two factor authentication.
© 2017 Devolutions inc.
148 |
Devolutions Server
User Management
14. Change the Two Factor type for SafeNet and click on Save.
Two Factor Configuration dialog
15. Enter the Validation code from the MobilePASS application and click on the Save button.
© 2017 Devolutions inc.
Contents
| 149
SafeNet Setup
7.5.4
Azure MFA settings
Prerequisite
1. The Azure MFA SDK zip file which contains the client certificate and the private key. For more
information, please consult this link https://azure.microsoft.com/en-us/documentation/articles/multifactor-authentication-sdk/#download-the-azure-multi-factor-authentication-sdk.
Settings
1. On the Devolutions Server console, in the Two-Factor tab, check the Azure MFA option and click on
Configure.
© 2017 Devolutions inc.
150 |
Devolutions Server
Two-Factor tab
2. Click on the Read Azure MFA SDK zip file to select the file.
© 2017 Devolutions inc.
Contents
Azure MFA Settings dialog
3. Please select the file previously downloaded from the Azure Portal.
Select the Azure MFA SDK file
4. When the file is correctly read, it will show a Success dialog.
© 2017 Devolutions inc.
| 151
152 |
Devolutions Server
Azure MFA SDK zip file success
5. Each field are now filled with the information from the Azure MFA SDK file. The IP Address field is
used to allow a range of addresses and the Host name field is for a given name chosen by the
administrator.
Azure MFA Settings dialog
6. In the User Management, select and edit a user. Then click on Configure in the Two factor section.
© 2017 Devolutions inc.
Contents
User Management dialog
7. Change the Two Factor Type for AzureMFA and click on Save.
2-Factor Configuration
© 2017 Devolutions inc.
| 153
154 |
Devolutions Server
8. Fill in the phone number and set the communication method to SMS or Phone call. Then, click on the
Save button.
Azure MFA Setup
9. When the user will connect to the Devolutions Server, he will received either a phone call, the user
will have to answer and then press on the pound key (#), or a SMS and will be asked to reply a code
to this SMS.
7.5.5
Radius settings
Prerequisite
1. A Radius server must be available in the organization.
2. All parameters for this configuration must be already configured on the Radius server.
Settings
1. On the Server Settings dialog from the Devolutions Server console, on the Two-Factor tab, check the
Radius and click on Configure.
© 2017 Devolutions inc.
Contents
| 155
Two-Factor tab
2. Fill in the appropriate information provided by the administrator of the Radius server in each fields of
the Radius Settings dialog.
© 2017 Devolutions inc.
156 |
Devolutions Server
Radius Settings dialog
3. Next, click on the Test button in the Radius Settings dialog and provide the Username and the
Passcode. Then click on the Check button to validate the information.
Radius Settings dialog - Username
4. It is possible to configure a Failover partner for the primary Radius server. Select the Failover tab in
the Radius Settings dialog. Check the Enable failover RADIUS server and fill in the information.
© 2017 Devolutions inc.
Contents
| 157
Radius Settings dialog - Failover
5. In the User Management, select and edit a user. Then click on Configure in the Two factor section.
© 2017 Devolutions inc.
158 |
Devolutions Server
User Management dialog
6. Select the Radius 2FA in the Type list and click on Save.
© 2017 Devolutions inc.
Contents
7.5.6
Vasco settings
Prerequisite
A configured Vasco account. For more information on Vasco installation please consult
https://www.vasco.com/two-factor-authentication.html.
Settings
1. Select Vasco from the list of available 2-Factor Authentication types.
2-Factor Authentication - Vasco
2. Configure your Vasco settings. An example is provided below.
Vasco soap Settings - Configuration Screen
Option
© 2017 Devolutions inc.
Description
| 159
160 |
7.6
Devolutions Server
Url
Website of the server.
Component
Type
The instance name created in Vasco.
Password
Format
One-Time Password (OTP): One-time passwords can only be used once, during
a very short time e.g. 10 seconds. They offer superior security to static
passwords which are more vulnerable to unauthorized use because they remain
the same.
Static Password: Most conventional method of password authentication. It is also
the least secure method of preserving your password. Your password essentially
remains the same from the moment it is created, until it is changed or updated for
that specific account.
How to Configure Security Groups and Roles w ith AD Integration
Description
These steps provide information on how to implement user security on Devolutions Server through
Security Groups and Roles with Active Directory integration. For more information, please follow this link
on our Online Help about Security Best Practices.
The Security Group security system will be deprecated in a future version of Remote
Desktop Manager. We recommend to use the new Role Based Security System.
Steps
Create Security Groups
1. Open the Security Groups Management from the Devolutions Server Console.
Devolutions Server Console
2. Add a Security Group by clicking on the Add Security Group button.
© 2017 Devolutions inc.
Contents
| 161
User and Security Management dialog
3. Add a Name and a Description for this new Security Group and click on the OK button.
Security Management dialog
4. On the Security Group Rights dialog, don't change anything and click on the Save button. The
permissions on the new security group will be set at the role level.
© 2017 Devolutions inc.
162 |
Devolutions Server
Security Group Rights dialog
5. Set the Security group in the Permission tab of the Group Folder properties and click on the OK
button.
© 2017 Devolutions inc.
Contents
6. Please consult our Online Help on how to Identify Security Groups.
Create Roles from the Active Directory Groups
7. Open the Roles Management dialog from the Devolutions Server Console.
Devolutions Server Console
8. Add a new Role.
© 2017 Devolutions inc.
| 163
164 |
Devolutions Server
User and Security Management dialog
9. On the Role Management dialog, click on the ellipsis button on the right of the Name field to select
the Active Directory Group.
Role Management dialog
10. Select the Active Directory Group and click on the OK button.
© 2017 Devolutions inc.
Contents
| 165
Select Group dialog
11. On the Privileges tab of the Role Management dialog, you can enabled one or all options to grant
privileges to role members. Consult this online help page for more information about Role
Management.
© 2017 Devolutions inc.
166 |
Devolutions Server
Privileges tab - Role Management dialog
12. On the Permissions tab of the Role Management Dialog, assign correct permissions on each
Security Group.
© 2017 Devolutions inc.
Contents
| 167
Permissions tab - Role Management dialog
Evolution of the creation of Security Groups and Roles on the Tree View
1. Tree View before creating Security Groups and assigning them to Group Folder for a user without
administrator rights.
Sessions without Security Groups
2. Tree View after Security Groups are assigned to Group Folders and before creating Roles for a user
with administrator rights.
© 2017 Devolutions inc.
168 |
Devolutions Server
Sessions with Security Groups
3. Tree View after Security Groups are assigned to Group Folders and before creating Roles for a user
without administrator rights.
Sessions without Roles permissions on Security Groups
4. Tree View after Security Groups are assigned to Group Folders and after creating Roles for a user
without administrator rights.
Sessions with Roles permissions on Security Groups
7.7
How to Configure Scheduler in Devolutions Server
Description
© 2017 Devolutions inc.
Contents
| 169
These steps provide the information on how to configure the Scheduler feature in Devolutions Server
and the IIS Manager. This will permit to enable the Backup and the Notification feature in the Scheduler
section of the Devolutions Server settings.
Steps
1. The Application Initialization Server Role must be activated on the server where the Devolutions
Server instance is hosted. It is possible to check if this Server Role is installed with the Server
Diagnostic tool from the server console. If the Application Initialization Server Role is already
installed, continue on step 4.
IIS Features Diagnostic dialog
2. To install the Application Initialization Server Role, open the Server Manager on the machine where
the Devolutions Server instance is hosted and in the Manage drop down menu, select Add Roles and
Features.
© 2017 Devolutions inc.
170 |
Devolutions Server
Server Manager dialog
3. In the Server Roles tab, expand the branch Web Server (IIS) - Web Server - Application
Development and tick the Application Initialization option box. Click on the Next button until the Install
button is available and click on it to install the Server Role.
© 2017 Devolutions inc.
Contents
| 171
Add Roles and Features Wizard dialog
4. Open IIS Manager and expand the tree view and select Application Pools. In the Application Pools
list, select your web application and click on Advanced Settings in the Actions panel on the right.
Then, change the Start Mode option to the value AlwaysRunning.
IIS Manager Advanced Settings
© 2017 Devolutions inc.
172 |
Devolutions Server
5. Still in the Advanced Settings, set the Idle Time-Out (minutes) option and the Regular Time Interval
(minutes) option to the value 0.
Application Pool Advanced Settings dialog
© 2017 Devolutions inc.
Contents
| 173
Application Pool Advanced Settings dialog
6. Next, select the IIS root node, the one with the server name, and double-click on the Configuration
Editor icon.
© 2017 Devolutions inc.
174 |
Devolutions Server
IIS Manager
7. In the Section drop down menu, select system.applicationHost/applicationPools. Then, click on the
ellipsis button of the Collection line.
IIS Manage Configuration Editor dialog
8. In the Collector Editor dialog, select the Devolutions Server web application. Then, set the autoStart
parameter to the value True and set the startMode parameter the the value AlwaysRunning. You can
close the Collection editor.
© 2017 Devolutions inc.
Contents
| 175
Collection editor dialog
9. In the Section drop down menu, select system.applicationHost/serviceAutotStartProviders. Then,
click on the ellipsis button of the Collection line.
IIS Manage Configuration Editor dialog
10. In the Collector Editor dialog, click on the Add link in the Actions panel on the right.Fill in the name
field with the value DVLSSchedulerProvider and fill in the field type with the value PreLoader,
Devolutions.Server. Be sure to put a space character just after the coma. You can close the
Collection editor.
© 2017 Devolutions inc.
176 |
Devolutions Server
Collection Editor dialog
11. In the Section drop down menu, select system.applicationHost/sites. Then, click on the ellipsis button
of the Collection line.
IIS Manage Configuration Editor dialog
12. Next, select the Default Web Site collection and on the Collection line, click on the ellipsis button.
© 2017 Devolutions inc.
Contents
| 177
Collection editor dialog
13. Select the web application of the Devolutions Server instance and set the serviceAutoStartProvider
parameter with the value scheduleProvider. You can close every Collection Editor dialogs.
Collection Editor dialog
14. To save these modifications, close the IIS Manager or click anywhere in the tree view of the IIS
Manager and click on the Yes button to save everything.
© 2017 Devolutions inc.
178 |
Devolutions Server
Configurator Editor save dialog
15. If the Integrated Security option is activated in the Database tab of the Devolutions Server instance,
the SQL user account must have the db_backupoperator database role if he is not set as the
db_owner.
SQL login properties dialog
© 2017 Devolutions inc.
Contents
7.8
| 179
How to Configure Notifications
Description
These steps provide information on how to configure Notifications of activities on a Devolutions Server
instance.
Steps
The Email settings must be configured in the Devolutions Server instance in order
for notifications to be sent.
1. In the Server settings, select the Notifications tab. To activate the notifications, check the Allow
notification subscription option and change the Time Zone for the appropriate time zone. Click on
the Save button.
© 2017 Devolutions inc.
180 |
Devolutions Server
Scheduler tab
2. On the Administration menu, click on the Notifications icon.
Administration ribbon - Notifications
3. On the left column, select the user that will receive the email notifications and check all notifications
type the user should receive.
© 2017 Devolutions inc.
Contents
| 181
Notifications dahsboard
4. Click on the Save button to save the configuration.
Notifications console
Configure more than one Entries, Connection Opened Notifications or Todos
1. Click on the plus icon at the right to add a new Entries Notification.
Entries Notification
2. Enable a second Entries Notification. It can be set on a particular Group Folder like the following
example. The first Notification will be send when a user add a session anywhere in the Data Source.
The second Notification will occur when someone deletes a session in the
Windjammer\Corporate\Servers Group Folder.
© 2017 Devolutions inc.
182 |
Devolutions Server
Two Entries Notifications
3. It is also possible to set multiple notifications on Open Connections and Todos.
Opened Connections Notifications
Todos Notifications
7.9
How to enable the Devolutions Server logs
Description
The Log debug information option must be enabled in order to view the logs. Consult
the Logging topic for more information.
From the Devolutions Server Console, click on the View logs icon.
© 2017 Devolutions inc.
Contents
| 183
Devolutions Server Console
Select the log entry to view the details in the bottom section.
Devolutions Server Log tab
7.10
How to import users from LDAP
Description
The Domain authentication method must be activated to be able to import users from
LDAP. Consult the Authentication topic for more information.
From the Devolutions Server Console, click on the Import Users icon.
Devolutions Server Console
© 2017 Devolutions inc.
184 |
Devolutions Server
Select the users you want to add and click on the Import button.
Import Users from LDAP dialog
7.11
How to configure Window s Authentication
Description
These steps provide the information to enable the Windows Authentication feature in Devolutions Server.
Steps
1. In the Authentication tab of the Server Settings of the Devolutions Server instance, enable the Enable
Windows Authentication option box and click on the Save button.
© 2017 Devolutions inc.
Contents
Server Settings dialog
2. In the Server Roles, install the Windows Authentication server role.
© 2017 Devolutions inc.
| 185
186 |
Devolutions Server
Add Roles and Features Wizard dialog
3. Next, open the IIS Manager, select the server in the tree view and open the Feature Delegation in the
Management section.
© 2017 Devolutions inc.
Contents
| 187
IIS Manager
4. Set the Authentication - Anonymous and the Authentication - Windows feature delegation to the
value Read/Write.
IIS Manager - Feature Delegation
5. Finally, in the data source configuration of each clients, enable the Use Windows Authentication
option.
© 2017 Devolutions inc.
188 |
Devolutions Server
Data Source configuration dialog
© 2017 Devolutions inc.
Support/Resources
Part VIII
190 |
Devolutions Server
8
Support/Resources
8.1
FAQ (Frequently Asked Questions)
What is Devolutions Server?
Devolutions Server is a specialized data source for our various client applications of the Remote
Desktop Manager and Password Vault Manager platforms.
Why buy Devolutions Server?
Ideal for businesses that would prefer to store their data in-house, want to deploy their own SSL
certificate or firewall, or who need Active Directory integration with role management.
What are the key benefits of Devolutions Server?
Devolutions Server is installed on your hardware, in your environment, or with your ISP to give
you total control of everything, including:
·
·
·
·
·
·
·
·
·
Active Directory integration
Role management
Hardware
Operating System)
Firewall / Application Deliveryd
Load Balancing / Fault tolerant environment for the web server layer.
Database, including clustering / failover capabilities.
Backups
SSL certificates
Devolutions Server also offers an improved security model, as database access is limited to the
server and no direct connection is established. This secure architecture is a significant
improvement over standard client-server architecture. (SQL Server data source)
Can I get a trial of Devolutions Server?
Yes - Request a trial
Does Devolutions Server include a client license of Remote Desktop Manager?
Devolutions Server does not include any client licenses.
Is Devolutions Server subscription based?
Yes, Devolutions Server is subscription based. You can subscribe for one (1) year or three (3)
years at a time. Giving you unlimited client connectivity for that period of time.
What if I no longer want/need a Devolutions Server? Is my data still
accessible?
Yes, once your Devolutions Server subscription is expired you can still access the data using one
of our applications. However the Devolutions Server data source will no longer be accessible. You
will need to reconfigure your clients to connect directly to the database using a SQL Server data
© 2017 Devolutions inc.
Contents
| 191
source. Since Active Directory integration will not be allowed anymore, you will need to reassign
user permissions.
Can I upgrade from a SQL Server data source to Devolutions Server?
Yes, the underlying SQL server database structure for the SQL Server data source is a subset of
the Devolutions Server database structure. When installing/configuring the Devolutions Server
simply specify the existing database and choose upgrade.
Note: Before executing any database modification it is always a good idea to make sure you have
a proper backup of the database.
Can I downgrade from a Devolutions Server down to SQL Server data source?
Yes, since the database for Devolutions Server is a superset of the SQL Server data source.
Simply connect to the database using the SQL Server data source and your sessions will all be
available. Keep in mind that not all Devolutions Server features will be accessible when using the
SQL Server data source, you will need to review all security permissions.
8.2
Follow Us
Overview
Get the hottest information about our products - tips and tricks, case studies and new release
announcements!
This is not a marketing newsletter. We focus on the issues that matter to you, whether you're looking for
up-to-the-minute software tutorials, additional outside resources, or a peek at how others are using our
products.
Links
© 2017 Devolutions inc.
Facebook
http://facebook.remotedesktopmanager.com
LinkedIn
http://linkedin.remotedesktopmanager.com
RSS feeds
http://rss.remotedesktopmanager.com
Twitter
http://twitter.remotedesktopmanager.com
YouTube
http://youtube.remotedesktopmanager.com
Blog
http://blog.remotedesktopmanager.com
Google+
http://plus.remotedesktopmanager.com/
Spicework
http://spice.devolutions.net
Forum
http://forum.devolutions.net
192 |
8.3
Devolutions Server
Previous Versions
Description
Here are the links to the pdf manuals of past releases.
Devolutions Server 4.0
Devolutions Server 3.2
Devolutions Server 3.0
Devolutions Server 2.5
8.4
Technical Support
Standard Support plan
Support is solely through our online forums at http://forum.devolutions.net/.
Extended and Premium support plans
Subscribers of a paid support plan receive an email address and a plan ID. You should send your
support requests to the appropriate email address and provide your plan ID in the subject line.
You are also encouraged to find information and ask questions in our forums at
http://forum.devolutions.net/. They contain years of relevant information and have the benefit of being
enriched for the whole community when we post an answer.
Please consult our Support Policy for more information.
8.5
Know ledge Base
8.5.1
User Agent
User Agent of Remote Desktop Manager Enterprise - Windows Edition
The User Agent used by Remote Desktop Manager Enterprise - Windows Edition when it connects to
Devolutions Server is :
Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.42000)
8.5.2
Ports And Firewalls
Description
Devolutions Server in itself does not dictate which ports to use for any of the resources that it accesses.
You must consult with your system administrator to ascertain which adjustments need to be made in
order for the system to inter-operate with your infrastructure.
Inbound
© 2017 Devolutions inc.
Contents
| 193
The only inbound port that is needed for Devolutions Server if for http or https communication, as per
your preference. We strongly recommend using https even if only within your own network
infrastructure. Although the default port is easily changed, it is typically port 443.
Outbound
Two technologies are in play for proper operation of Devolutions Server : SQL Server, LDAP.
SQL Server
Depending on the choice of Default Instance or Named Instance that was made during the installation,
the SQL Server instance will listen on different ports.
Using SQL Server Configuration Manager, you can see the details in the Protocols section
Sql Server Configuration Manager - Protocol details
In most cases, TCP/IP will be used for remote connections. You will be able to see what ports are in
use. If you see that TCP Dynamic Ports are in play, they will change upon every restart of the SQL
Server instance and therefore are not a good fit for a hardened installation.
© 2017 Devolutions inc.
194 |
Devolutions Server
TCP/IP Properties
For more information please consult SQL Server Configuration Manager on Technet
LDAP/LDAPS
As indicated in LDAPS on Technet, LDAP communications are by nature insecure under certain
conditions:
By default, LDAP communications between client and server applications are not encrypted.
This means that it would be possible to use a network monitoring device or software and
view the communications traveling between LDAP client and server computers. This is especially
problematic when an LDAP simple bind is used because credentials (username and password) is
passed over the network unencrypted. This could quickly lead to the compromise of credentials.
Follow the instructions for your operating system in order to establish LDAPS. It will involve deploying
certificates generated using your of Certification Authority (CA).
LDAP by default uses port 389. Even when you enable LDAPS, it may use plain LDAP therefore it
needs to be disabled, please consult Enforcing usage of LDAPS.
LDAPS by default uses port 636 for typical domains, but will use port 3269 when communicating with a
Global Catalog Server (basically when you have a Forest). Your domain administrator should be able to
provide you with details of your domain infrastructure, especially if custom ports were used. You can
also use ldp.exe to perform connectivity tests.s
© 2017 Devolutions inc.
Contents
8.5.3
| 195
Enforcing usage of LDAPS
Description
To require that a directory server rejects simple binds which occur on a clear text connection. you must
apply a policy.
Please refer to How to enable LDAP signing in Windows Server 2008 for the original article, but we will
duplicate the content here for ease of use (especially since we hard a hard time finding it ourselves...).
How to configure the directory to require LDAP server signing using Group
Policy
How to set the server LDAP signing requirement
1. Click Start, click Run, type mmc.exe, and then click OK.
2. On the File menu, click Add/Remove Snap-in.
3. In the Add or Remove Snap-ins dialog box, click Group Policy Management Editor, and then click
Add.
4. In the Select Group Policy Object dialog box, click Browse.
5. In the Browse for a Group Policy Object dialog box, click Default Domain Policy under the Domains,
OUs and linked Group Policy Objects area, and then click OK.
6. Click Finish.
7. Click OK.
8. Expand Default Domain Controller Policy, expand Computer Configuration, expand Policies, expand
Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.
9. Right-click Domain controller: LDAP server signing requirements, and then click Properties.
10. In the Domain controller: LDAP server signing requirements Properties dialog box, enable Define
this policy setting, click to select Require signing in the Define this policy setting drop-down list, and
then click OK.
11. In the Confirm Setting Change dialog box, click Yes.
How to set the client LDAP signing requirement through local computer policy
1.
2.
3.
4.
5.
6.
Click Start, click Run, type mmc.exe, and then click OK.
On the File menu, click Add/Remove Snap-in.
In the Add or Remove Snap-ins dialog box, click Group Policy Object Editor, and then click Add.
Click Finish.
Click OK.
Expand Local Computer Policy, expand Computer Configuration, expand Policies, expand Windows
Settings, expand Security Settings, expand Local Policies, and then click Security Options.
7. Right-click Network security: LDAP client signing requirements, and then click Properties.
8. In the Network security: LDAP client signing requirements Properties dialog box, click to select
Require signing in the drop-down list, and then click OK.
9. In the Confirm Setting Change dialog box, click Yes.
How to set the client LDAP signing requirement through a domain Group
Policy Object
1.
2.
3.
4.
Click Start, click Run, type mmc.exe, and then click OK.
On the File menu, click Add/Remove Snap-in.
In the Add or Remove Snap-ins dialog box, click Group Policy Object Editor, and then click Add.
Click Browse, and then select Default Domain Policy (or the Group Policy Object for which you want
to enable client LDAP signing).
5. Click OK.
© 2017 Devolutions inc.
196 |
Devolutions Server
6.
7.
8.
9.
Click Finish.
Click Close.
Click OK.
Expand Default Domain Policy, expand Computer Configuration, expand Windows Settings, expand
Security Settings, expand Local Policies, and then click Security Options.
10. In the Network security: LDAP client signing requirements Properties dialog box, click to select
Require signing in the drop-down list, and then click OK.
11. In the Confirm Setting Change dialog box, click Yes.
8.5.4
SQL Server Express configuration
Description
To be able to connect to a SQL database with Devolutions Server, here is the suggested configuration in
Microsoft SQL Server Express Edition.
Steps
Most of our customers use the mixed mode Server Authentication. As per Microsoft, it is not the safest
authentication method to use with Microsoft SQL Server Express Edition but we recommend to use it to
configure and test your Devolutions Server instance. After a successful installation of Devolutions
Server, you can set it back to Windows Authentication mode and set the Integrated Security option in
the Database tab of the Devolutions Server Server Settings. Consult this topic on How to Configure
Devolutions Server to use integrated security. To enable the mixed mode, in the Microsoft SQL Server
Management Studio, open the properties dialog of your server and go in the Security tab. Then, select
the SQL Server and Windows Authentication mode option.
© 2017 Devolutions inc.
Contents
| 197
The next option that needs to be activated is the Allow remote connections to this server option. You will
find that option in the Connections tab of the SQL Server Properties dialog. Then, click on the OK button
to save the modifications.
© 2017 Devolutions inc.
198 |
Devolutions Server
Finally, the SQL Server Browser service must be started on the machine where the SQL Server is
hosted. Please run services.msc and look for the SQL Server Browser in the list.
© 2017 Devolutions inc.
Contents
| 199
We recommend to set the Startup type to Automatic for the SQL Server Browser service. Double-click
on the service to open the properties dialog. Then, start the service by clicking on the Start button and
select Automatic in the Startup type drop down menu. Finally, click on the OK button.
© 2017 Devolutions inc.
200 |
8.5.5
Devolutions Server
Backup
Description
Here are the recommended steps to enable the Backup scheduler.
Steps
1. Create a network shared folder that the server which hosted the Devolutions Server instance and the
SQL Server will have access to.
2. Configure the Scheduler in the IIS Manager as explained in the following topic How to Configure
Scheduler in Devolutions Server
3. Enable the Backup in the Scheduler tab of the Devolutions Server Settings.
4. Configure the options in the Backup Manager. For more information please see Backup Manager.
8.5.6
Manage Encryption Keys on a High Availability Topology
Description
The encryption keys must be the same of each Devolutions Server instances of your High Availability
Topology.
Here are the steps to manage the encryption keys on that specific environment. If you have to upgrade
Devolutions Server, please upgrade one instance at a time.
1. Open the Devolutions Server Console on the first server.
2. Open the Advanced menu on the right of the Devolutions Server Console and click on Manage
Encryption Keys.
Devolutions Server Console
3. Set the Operation to Export, enter a password and click on the OK button.
© 2017 Devolutions inc.
Contents
Manage Encryption Keys dialog
4. Select a folder where to save the file and click on the Save button.
© 2017 Devolutions inc.
| 201
202 |
Devolutions Server
5. Copy the encryption file on the other server.
6. Go on another server where Devolutions Server is hosted and open the File Explorer in the
App_Data subfolder of your web application folder. Delete every encryption file you will find in that
subfolder.
7. Open the Devolutions Server Console on the server. Then, open the Advanced menu on the right of
the Devolutions Server Console and click on Manage Encryption Keys.
Devolutions Server Console
8. Set the Operation to Import and click on the OK button.
Manage Encryption Keys dialog
© 2017 Devolutions inc.
Contents
| 203
9. Select the encryption file and click on the Open button.
Select the encryption file
10. Enter the password and click on the OK button.
Import Encryption Keys password dialog
11. Click on the Yes button on the Change encryption keys warning dialog. Because the encryption
keys was deleted, this operation will not be completed on the database. It will use the same
encryption keys as the other server.
© 2017 Devolutions inc.
204 |
Devolutions Server
Change Encryption Keys warning dialog
8.6
Troubleshooting
8.6.1
After Upgrading Server the Devolutions Server Console is Empty
Description
You have attempted to upgrade your Devolutions Server instance and the upgrade was not completed
correctly. Now, your instance is not present in the Devolutions Server Console and your data source
is not connected.
Devolutions Server Console empty
Instructions
1. Navigate to the %temp%\RDM folder and copy the content of the folder.
© 2017 Devolutions inc.
Contents
| 205
2. Navigate to the folder where your Devolutions Server was deployed originally and paste the
content of %temp%\RDM inside.
3. If you close and reopen your Devolutions Server Console, your instance should be present.
4. You can now proceed again with the upgrade of your server.
If the files are not present or the solution doesn't work, you will need to restore the backup that you have
created in the preparation phase as described in Upgrading Devolutions Server
8.6.2
Cannot Log in After DVLS Upgrade
Error
After upgrading Devolutions Server, users cannot authenticate anymore.
Error dialog at data source login attempt
© 2017 Devolutions inc.
206 |
Devolutions Server
Error at login attempt from web interface
Cause 1
Please note that if the user name format used is only the Username instead one of
NETBIOS (Domain\Username) or UPN ([email protected]), it will be
impossible to authenticate on Devolutions Server version 4.5. A DB Script will need
to be run in order to prefix the domain name in the username field. We can send the
script upon request, but we would prefer to perform this task with you in a remote
session.
Cause 2
The account authentication type is not specified.
From the computer hosting the Devolutions Server instance, launch Remote Desktop Manager with
elevated privileges. In the Ribbon, navigate to Tools - Devolutions Server Console.
Remote Desktop Manager - Tools - Devolutions Server Console
© 2017 Devolutions inc.
Contents
| 207
Select the Devolutions Server instance and click on the User Management button.
Devolutions Server Console - User Management
Edit each user and verify if the Authentication type can be edited. If the field can be edited, this means
that the authentication type is not specified and was guessed by the application.
DO NOT CHANGE THE AUTHENTICATION TYPE.
Simply click on the OK button to save the authentication type.
If the authentication type is already saved in the database, it is not possible to
change to another authentication type.
User Management
It is also possible to use the Batch Edit feature in the User Management to edit all selected users at the
same time.
© 2017 Devolutions inc.
208 |
Devolutions Server
User Management - Batch Edit
Check the second Override box, and select the correct Authentication type.
If the authentication type is saved in the database, it will not be possible to change it
later. Make sure to select the correct authentication type before saving any
modification.
Batch Edit - Override Authentication Type
8.6.3
Failed Request Tracing with IIS
Description
This topic will present how to install and configure a Failed Request Tracing Log rule for troubleshooting
HTTP 500 error issues on the IIS site.
· Enable Failed Request Tracing in IIS
A detailed step by step to add the role on a Windows Server 2012R2.
© 2017 Devolutions inc.
Contents
· Configure Failed Request Tracing
Configuration needed for troubleshooting HTTP 500 error issues.
· Consult the Failed Request Tracing log
Where and how to look at the Failed Request Tracing logs.
For more information about Failed Request Tracing, please visit
https://www.iis.net/configreference/system.webserver/tracing/tracefailedrequests.
8.6.3.1
Enable Failed Request Tracing in IIS
Enable Failed Requests Tracing in IIS
The following steps are applicable on Windows Server 2012R2.
1. Open the Server Manager. Choose Add Roles and Features from the Manage menu.
Server Manager - Add Roles and Features
2. Select the installation type and then click Next.
© 2017 Devolutions inc.
| 209
210 |
Devolutions Server
Select installation type
3. Select the destination server and then click Next.
© 2017 Devolutions inc.
Contents
| 211
Select destination server
4. On the Select server role page, expand the Web Server (IIS) role, expand Web Server and expand
Health and Diagnostics. Then select Tracing and click Next.
© 2017 Devolutions inc.
212 |
Devolutions Server
Select server roles
5. On the page Select features, click Next.
© 2017 Devolutions inc.
Contents
Select features
6. On the page Confirm installation selections, click Install.
© 2017 Devolutions inc.
| 213
214 |
Devolutions Server
Confirm installation selections
7. On the Results page, click Close.
© 2017 Devolutions inc.
Contents
| 215
Installation progress
8.6.3.2
Configure Failed Request Tracing
Configure Failed Requests Tracing
The following steps are applicable on Windows Server 2012R2.
1. In the Server Manager, click on the Tools menu and open the Internet Information Services (IIS)
Manager
Server Manager
© 2017 Devolutions inc.
216 |
Devolutions Server
2. In the IIS Manager, expand the Web site (VWINDSRV-RDMS2), expand Sites and then select
Default Web Sites.
Internet Information Services (IIS) Manager
3. On the right, in the Actions pane, select Failed Requests Tracing....
© 2017 Devolutions inc.
Contents
| 217
Actions pane
4. Select the Enable check box and then click OK. The Directory target and the Maximum number of
trace files can be modified.
Edit Website Failed Request Tracing Settings
© 2017 Devolutions inc.
218 |
Devolutions Server
5. Expand Default Web Site and select the Web site to be traced.
Internet Information Services (IIS) Manager
6. Double click on the Failed Request Tracing Rules icon of the selected Web Site.
© 2017 Devolutions inc.
Contents
Internet Information Services (IIS) Manager
7. In the Actions pane on the right, click on Add... to add a new rule.
Failed Request Tracing Rules
8. Select ASP.NET (*.aspx) and click Next.
© 2017 Devolutions inc.
| 219
220 |
Devolutions Server
Specify Content to Trace
9. Select the Status Code(s) check box. Enter the type of the status code to be traced, in this case
type in the status code 500, and click Next.
© 2017 Devolutions inc.
Contents
| 221
Define Trace Conditions
10. The last setting is to select the providers of the tracing. Select ASPNET and WWW Server. For
each of them, set the Verbosity to Verbose. Finally, check all Areas settings for these two providers
and click Finish.
© 2017 Devolutions inc.
222 |
Devolutions Server
Select Trace Providers
11. The tracing rule is now defined.
Failed Request Tracing rule defined
8.6.3.3
Consult the Failed Request Tracing log
Consult the Failed Request Tracing log
With Failed Request Tracing enabled, the logs files are created and populated in the directory set up on
step Edit Website Failed Request Tracing Settings. By default, the path is %SystemDrive%
© 2017 Devolutions inc.
Contents
| 223
\inetpub\logs\FailedReqLogFiles. In this place, a folder typically named W3SVC1 will be created when
the first case happen.
There will be an XSL file (freb.xsl) for the display style in an XML viewer like Internet Explorer. Also, the
most important, the XML files (fr######.xml). Open an XML file to view the log triggered by the tracing
rule.
Failed Request Tracing log folder
Here is an example of a Failed Request Tracing log :
Failed Request Tracing log
8.6.4
IIS Logging
Description
© 2017 Devolutions inc.
224 |
Devolutions Server
Here is the description of desired settings when we troubleshoot a performance/connectivity issue
related to the client application.
IIS Web Site Logging
1. Open IIS Manager and go in the Logging settings.
IIS Manager
2. Click on Select Fields
© 2017 Devolutions inc.
Contents
Logging panel
3. We recommend that AT LEAST the following fields be selected:
© 2017 Devolutions inc.
| 225
226 |
Devolutions Server
Field selection dialog
Application pool recycle
The application pool that is in fact running the instance can be restarted for a multitude of reasons. It
may be useful to know when those recycles occur as well as the reasons. Go in the Application pools
section of the IIS manager, then open the Advanced settings for your application pool. Enable all of
the Recycle events, it will create a log entry in the Windows Event Log.
© 2017 Devolutions inc.
Contents
| 227
Advanced settings for an Application Pool.
8.6.5
Server Diagnostic
Description
The server diagnostic validates if all the necessary IIS features are enabled to run Devolutions Server
properly.
Settings
Remote Desktop Manager Enterprise - Windows Edition must be started with elevated
privileges when the Devolutions Server Console needs to be used.
The server diagnostic is available from the Tools -> Devolutions Server Console menu
Devolutions Server Console
This diagnostic will verify if all the IIS features are installed properly.
© 2017 Devolutions inc.
228 |
Devolutions Server
The Application Initialization warning is about our new Backup feature that is not
fully functional. You can ignore the warning safely.
8.6.6
Web interface content looks wrong
Description
If you have completed your Devolutions Server installation and it's Web interface isn’t displaying
properly (as shown below), here are some steps to follow to resolve the issue.
© 2017 Devolutions inc.
Contents
| 229
Devolutions Server Web interface
Steps
1. Proceed to an IIS Features Diagnostic and verify if all the ISS features are on and installed properly.
If you see that your Static Content hasn't been properly installed you will need to enable that Windows
Feature.
© 2017 Devolutions inc.
230 |
Devolutions Server
IIS Features Diagnostic
2. In Windows Features, under World Wide Web Features - Common HTTP Features verify if the
option Static Content is turned on.
© 2017 Devolutions inc.
Contents
| 231
Windows Features
8.6.7
Login failed
Description
When trying to log in with the web interface of the Devolutions Server, you can possibly get a Login
failed error.
Cause 1
The Login failed for user 'Domain\ServerName$ error with a '$' at the end of the server name is caused
by a wrong setting of the Application Pool Identity in Internet Information Services Manager (IIS). The
Application Pool Identity must be set with a specific account when activating the Integrated Security
option in the Server Settings of Devolutions Server. For more information about Integrated security,
please refer to How to Configure Devolutions Server to use integrated security.
© 2017 Devolutions inc.
232 |
Devolutions Server
Login failed for user 'Domain\ServerName$'
Steps
1. Please open the IIS Manager and select the Application Pools in the Connections pane. Then, select
the Application of your Devolutions Server and click on the Advanced Settings from the Actions
pane.
IIS Manager - Application Pools
2. On the Advanced Settings dialog, select Identity and click on the ellipsis button on the right.
© 2017 Devolutions inc.
Contents
Application Pools - Advanced Settings
3. Select Custom account and click on the Set... button.
© 2017 Devolutions inc.
| 233
234 |
Devolutions Server
Application Pool Identity
4. Fill in the credentials and click on the OK button. This account must have the proper rights in order
to run the web interface of the Devolutions Server.
Set Credentials
5. Now the Application Pool Identity is set with an account with proper rights for running this
application.
© 2017 Devolutions inc.
Contents
Advanced Settings
Cause 2
The Login failed for user 'IIS APPPOOL\ApplicationPoolName' error is related to insufficient
permissions for the ApplicationPoolIdentity or inexisting user ApplicationPoolName on the SQL
database. I when the SQL Server and Devolutions Server are hosted on the same machine.
© 2017 Devolutions inc.
| 235
236 |
Devolutions Server
Login failed for user 'IIS APPPOOL\ApplicationPoolName'
Steps
1. Using Microsoft SQL Server Management Studio, right-click on the Security branch and select New Login.
SQL Server Management Studio
2. For the login, type IIS APPPOOL\AppPoolName and DO NOT CLICK SEARCH (If a search is
executed, it will resolve to an account with ServerName\AppPoolName and SQL will be unable to
resolve the account’s SID since it is virtual).
© 2017 Devolutions inc.
Contents
| 237
Create SQL User
3. Please follow the instructions from step 4 of the online help page How to Grant access to SQL Server
instance.
8.6.8
Error Uploading Document
Description
You get a HTTP 413 error when trying to upload or attach a document to an existing entry.
© 2017 Devolutions inc.
238 |
Devolutions Server
Error message dialog
Steps
1. Open the IIS Manager on the server where Devolutions Server is hosted.
2. Expand the tree view and select the Devolutions Server web application name and open the
Configuration Editor in the Management section.
© 2017 Devolutions inc.
Contents
| 239
IIS Manager
3. Select the value system.webServer/serverRuntime in the Section drop down menu. Then, increase
the value of the uploadReadAheadSize parameter. This value is in bytes so if you want to load a
50MB file, you have to change the value to 51200.
© 2017 Devolutions inc.
240 |
Devolutions Server
IIS Configuration Editor
For more information about these settings, you can consult this web page
https://www.iis.net/configreference/system.webserver/serverruntime
8.6.9
The remote server returned an error (405) Method Not Allowed
Description
You get the following Error message dialog when you try to create or modify an entry.
Error message dialog
© 2017 Devolutions inc.
Contents
| 241
Steps
Please note that you will have to restart the server after removing the WebDAV
Publishing role to complete the procedure.
1. On the server where the Devolutions Server instance is hosted, open the Server Manager
application.
2. Then, open the Remove Roles and Features in the Manage menu.
Server Manager
3. In the Server Roles, uncheck the WebDAV Publishing role.
Remove Roles and Features Wizard dialog
© 2017 Devolutions inc.
242 |
Devolutions Server
4. Click on the Remove button to uninstall the WebDAV Publishing role from the server.
Remove Roles and Features Wizard dialog
8.6.10 Blank login page on a Windows Server 2008R2
Description
When you open the web page of the Devolutions Server instance, the web page is blank. This is due to
a malformed XML web.config file because of a specific parameter that is not supported by IIS version 7
or 7.5. And also a missing json application MIME type in the web application.
These steps are suitable for version 4.0.7.0 and above.
Steps
1. Edit the web.config file that is located into the client1.0.0-1 subfolder of the Devolutions Server web
application folder.
© 2017 Devolutions inc.
Contents
| 243
Devolutions Server web application folder
2. Remove the setEtag="false" parameter from the web.config file and save the file.
web.config file
3. Next, open IIS Manager and select the node with your web server name. Then, double-click on the
MIME Types icon.
© 2017 Devolutions inc.
244 |
Devolutions Server
IIS Manager
4. In the MIME Type list, if the .json entry doesn't already exist, click on the Add link in the Actions
panel on the right and fill in the appropriate field. Set the File name extension field with the value
.json and the MIME type field with the value application/json and click on the OK button.
© 2017 Devolutions inc.
Contents
| 245
Add .json MIME type
5. No needs to reboot the server or recycle the IIS server after these modifications.
8.6.11 Duplicate Devolutions Server instance
Description
When you open the Devolutions Server Console, two instances of the same Devolutions Server are
visible in the console. One with only a "/" as the Web Application Name.
Devolutions Server Console
Cause 1
Using the default parameters of the IIS Manager, the Default Web Site points to the same Physical Path
of the Devolutions Server web application.
Steps
Change the the path of the Web Site in the IIS Manager.
© 2017 Devolutions inc.
246 |
Devolutions Server
1. Open IIS Manager, select the Web Site that contains the Devolutions Server web application and
click on Advanced Settings in the Actions panel on the right.
IIS Manager
2. Change the Physical Path of the Web Site from the Devolutions Server subfolder to the parent
folder.
© 2017 Devolutions inc.
Contents
Web Site Advanced Settings - Before the Physical Path modification
© 2017 Devolutions inc.
| 247
248 |
Devolutions Server
Web Site Advanced Settings - After the Physical Path modification
3. Restart your IIS Server.
IIS Manager
4. On the Devolutions Server Console, click on the Refresh button and just one instance should be
displayed.
© 2017 Devolutions inc.
Contents
| 249
Devolutions Server Console
Cause 2
When the Web Site is located in a different folder then the default one used by the IIS Manager, the
Web Site points to the same Physical Path of the Devolutions Server web application.
Devolutions Server Console
Steps
To have only one Devolutions Server instance without any duplicate, the Physical path of the instance
must be points to a subfolder of the Web Site Physical Path.
1. Open the Windows Explorer and create a folder in the Physical Path of the Web Site. In the image
below, the name of the new folder is DVLS. It can be another folder name that fits your needs.
© 2017 Devolutions inc.
250 |
Devolutions Server
Windows Explorer
2. Move the selected files and folders into that new subfolder, i.e. DVLS.
Windows Explorer
3. Open the IIS Manager and select the Devolutions Server web application in the tree view and click
on Advanced Settings in the Action panel on the right.
© 2017 Devolutions inc.
Contents
IIS Manager
4. Change the Physical Path to point to the new folder created in step 1.
© 2017 Devolutions inc.
| 251
252 |
Devolutions Server
Advanced Settings dialog
5. To restart your IIS Server, select the root in the tree view and click on Restart in the Actions panel
on the right.
IIS Manager
6. On the Devolutions Server Console, click on the Refresh button and just one instance should be
displayed.
© 2017 Devolutions inc.
Contents
| 253
Devolutions Server Console
8.6.12 Cryptographic Exception - The parameter is incorrect error message
Description
After the upgrade of Remote Desktop Manager to version 12.5.x on the server where the Devolutions
Server instance version 4.0.7.0 is hosted, the encryption.config file is updated if you change the
configuration of the instance.
System.Security.Cryptography.CryptographicException error message dialog
Steps
The XML tags are not recognized by Devolutions Server and they must be replaced by the old XML
tags.
© 2017 Devolutions inc.
254 |
Devolutions Server
1. Go in the App_Data folder that is located web application folder of the DVLS instance. If the default
value is used, the installation path is C:\inetpub\wwwroot\DVLS\App_Data.
2. Edit the encryption.config file.
3. Remove the line with the <SafeAttachmentStorageKey> tag.
4. Change the tag <SafeLoginKey> to <SafeRsaKey>. Don't forget to also change the closing tag to
</SafeRsaKey>.
5. Change the tag <SafeTokenStorageKey> to <SafeAesKey>. Don't forget to also change the closing
tag to </SafeAesKey>.
The encryption.config file before the modification :
encryption.config file before modification
The file after the modification :
encryption.config file after modification
Every time someone modify the configuration of the DVLS instance, these steps have to be repeated.
© 2017 Devolutions inc.
Contents
Index
-AApplication pool identity
231
-Hhigh availability
12
-LLDAPS 195
licence license renew key
load balancing 12
-Oon premise
8
-Sscheduler
168
-Ttopology
12
© 2017 Devolutions inc.
114
| 255

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project