RC Admin
RC Admin
This edition applies to version 9, release 1, modification level 0 of IBM Endpoint Manager and to all subsequent
releases and modifications until otherwise indicated in new editions.
Contents
Chapter 1. Overview of the IBM Endpoint Unlocking user accounts . . . . . . . . . 35
Manager for Remote Control system . . 1 Viewing a list of previous sessions established by
a user . . . . . . . . . . . . . . . 36
Searching for users . . . . . . . . . . . 36
Chapter 2. Setting a secure environment 3 Creating user groups . . . . . . . . . . . 37
Using a secure URL . . . . . . . . . . . . 3 Assigning users to groups . . . . . . . . . 38
Selecting https during installation . . . . . . 3 Assigning at user account creation. . . . . . 38
Disabling http . . . . . . . . . . . . . 3 Assigning one user to one or more user groups 38
Enforcing logon via https . . . . . . . . . 3 Assigning multiple users to user groups . . . . 39
Secure communication configuration . . . . . 4 Viewing user groups . . . . . . . . . . . 40
Signed certificate management . . . . . . . . 7 Managing user groups. . . . . . . . . . . 40
Installing a certificate . . . . . . . . . . 7 Viewing the members of a user group . . . . 41
Backing up your certificate file . . . . . . . 9 Deleting user groups . . . . . . . . . . 41
Setting password rules. . . . . . . . . . . 10 Changing the details for a user group . . . . 42
Locking user accounts . . . . . . . . . . . 12 Removing members from a user group . . . . 42
Assigning user groups to other user groups . . 43
Chapter 3. Accessing the IBM Endpoint Setting permissions for a user group . . . . . 44
Manager for Remote Control Server Searching for user groups . . . . . . . . 45
Web Interface . . . . . . . . . . . . 15
Logging on to the IBM Endpoint Manager for Chapter 7. Server session policies . . . 47
Remote Control server. . . . . . . . . . . 15
Getting a temporary logon password . . . . . 15 Chapter 8. How policies are determined
Setting up email . . . . . . . . . . . . . 16 for a remote control session . . . . . 63
Logging off from the IBM Endpoint Manager for
Setting the policies and permissions for a remote
Remote Control server. . . . . . . . . . . 16
control session . . . . . . . . . . . . . 63
Values assigned for standard or normal
Chapter 4. Unlocking user accounts . . 17 permissions . . . . . . . . . . . . . 64
Giving policies a higher priority value . . . . 64
Chapter 5. Managing targets and target Creating a permissions link . . . . . . . . 65
groups . . . . . . . . . . . . . . . 19 Deleting a permissions link . . . . . . . . 67
Managing Targets . . . . . . . . . . . . 19 How permissions are derived . . . . . . . 67
Deleting a target. . . . . . . . . . . . 19 Permissions set examples . . . . . . . . . . 69
Assigning targets to target groups . . . . . . 20 Example 1: - Standard priority 0 permissions . . 71
Creating target groups. . . . . . . . . . . 22 Example 2: - Higher priority permissions . . . 73
Viewing Target Groups . . . . . . . . . . 24 Example 3: - Only relationship permissions are
Managing Target Groups . . . . . . . . . . 24 inherited . . . . . . . . . . . . . . 75
Viewing the members of a target group . . . . 25 Example 4 - No overrides Yes when priority
Deleting a target group . . . . . . . . . 25 values are the same. . . . . . . . . . . 77
Changing the details for a target group . . . . 26 Example 5 - Higher priority Yes overrides lower
Removing members from a target group. . . . 26 priority No . . . . . . . . . . . . . 79
Assigning target groups to other target groups. 28 In summary . . . . . . . . . . . . . 81
Setting permissions for a target group . . . . 29
Searching for target groups . . . . . . . . 29 Chapter 9. Managing permission sets
for temporary access to targets . . . . 83
Chapter 6. Managing users and user Creating a set of permissions . . . . . . . . 83
groups . . . . . . . . . . . . . . . 31 Viewing sets of permissions . . . . . . . . . 84
User account authorities and the functions available Modifying a defined set of permissions . . . . . 84
to each account . . . . . . . . . . . . . 31 Deleting permission sets . . . . . . . . . . 85
Creating user accounts . . . . . . . . . . 32
Viewing user accounts . . . . . . . . . . . 33 Chapter 10. Requests for temporary
Managing user accounts . . . . . . . . . . 33 access to targets . . . . . . . . . . 87
Setting user account privileges . . . . . . . 33 Handling a request for temporary access to targets 87
Modifying user details. . . . . . . . . . 34 Giving users temporary access to target systems 87
Removing users . . . . . . . . . . . . 35
iii
Revoking requests for temporary access to target Deleting a IBM Endpoint Manager for Remote
systems. . . . . . . . . . . . . . . 91 Control gateway . . . . . . . . . . . 119
Denying requests for temporary access to target Creating a IBM Endpoint Manager for Remote
systems. . . . . . . . . . . . . . . 91 Control Gateway . . . . . . . . . . . . 119
Deleting requests for temporary access to target Resetting the Application . . . . . . . . . 120
systems. . . . . . . . . . . . . . . 92 Configuring the user acceptance window . . . . 120
Viewing requests for temporary access to target Configuring the user acceptance window for a
systems. . . . . . . . . . . . . . . . 92 peer to peer session . . . . . . . . . . 122
Viewing outstanding access requests . . . . . 93 Uploading user acceptance window icons . . . . 124
Viewing live access requests. . . . . . . . 93 Creating a permission set . . . . . . . . . 124
Viewing all access requests. . . . . . . . . 93 Viewing the permissions sets . . . . . . . . 125
Using rules to define target membership . . . . 125
Chapter 11. Generating custom reports 95 Defining when membership rules are applied 125
Creating a Custom Report . . . . . . . . . 95 Creating rules . . . . . . . . . . . . 127
Creating a report by Sorting and Filtering . . . 96 Viewing rules . . . . . . . . . . . . 128
Creating a report by editing the SQL statement 97 Checking rules . . . . . . . . . . . . 128
Creating a report using Edit SQL feature . . . 97 Editing rules . . . . . . . . . . . . 129
Creating a report by adding tables and columns 100 Deleting rules . . . . . . . . . . . . 129
Running a Custom Report . . . . . . . . . 100
Viewing Custom Reports . . . . . . . . . 101 Chapter 15. Remotely installing the
Managing custom reports . . . . . . . . . 101 target software. . . . . . . . . . . 131
Using the Edit Custom Report and Access Prerequisites for remote target installation . . . . 131
feature . . . . . . . . . . . . . . 101 Windows XP prerequisites . . . . . . . . 131
Removing your access to a report . . . . . 102 Windows 7 prerequisites . . . . . . . . 131
Deleting custom reports . . . . . . . . . 103 Windows Server 2008. . . . . . . . . . 133
Windows Vista pre requisites . . . . . . . 133
Chapter 12. Managing the home page UNIX and Linux targets . . . . . . . . . 134
for a user or group . . . . . . . . . 105 IPv6 support for remote target installation. . . 135
Creating and setting a home page . . . . . . 105 Installing the target software remotely . . . . . 136
Setting a default home page as a user . . . . 105 Viewing remote installation history . . . . . . 138
Setting a home page for a group . . . . . . 106 Deleting remote installation history . . . . . . 139
Viewing the default home page list . . . . . . 107
Editing the default home page for a group . . . 107 Chapter 16. Ensuring targets are
Reset the default home page . . . . . . . . 107 registered correctly . . . . . . . . . 141
Resetting the default home page for a user . . 107 Finding a perfect or best match for a target . . . 141
Resetting the default home page for a group 108 Matching on computer name . . . . . . . . 142
Matching on GUID . . . . . . . . . . . 143
Chapter 13. Options menu functions 109
Adding a database table to a query . . . . . . 109 Chapter 17. Recording the session on
Adding a database column to a query . . . . . 109 the target . . . . . . . . . . . . . 145
Chapter 14. Admin Menu Functions 111 Chapter 18. Set up for exporting
Editing the properties file . . . . . . . . . 111
recordings . . . . . . . . . . . . 147
Configuring LDAP properties using the LDAP
Setting up a Windows server for exporting
wizard. . . . . . . . . . . . . . . . 111
recordings . . . . . . . . . . . . . . 147
Using the LDAP configuration utility . . . . 112
Setting up a Linux server for exporting recordings 147
Testing your LDAP connection . . . . . . 112
Configuring LDAP group search parameters . . 113
Configuring LDAP user search parameters . . 114 Chapter 19. Audit log distribution. . . 149
Configuring additional LDAP settings . . . . 117
Saving your LDAP configuration . . . . . . 118 Chapter 20. Accessing targets on
Viewing the application log. . . . . . . . . 118 different networks . . . . . . . . . 151
Saving the application log for exporting . . . . 118 Configuring the gateway support. . . . . . . 151
Importing data into the database . . . . . . . 118 Configuring inbound connections . . . . . 152
Viewing the server status . . . . . . . . . 118 Configuring gateway connections . . . . . 153
Viewing the IBM Endpoint Manager for Remote Configuring endpoint connections . . . . . 154
Control Gateways . . . . . . . . . . . . 118 Configuring tunnel connections . . . . . . 155
Editing a IBM Endpoint Manager for Remote Configuring the targets to use tunnel
Control gateway . . . . . . . . . . . 119 connections . . . . . . . . . . . . . 156
Chapter 21. Editing the properties Chapter 28. Target registration before
files . . . . . . . . . . . . . . . 171 a remote control session . . . . . . 257
Template of field information . . . . . . . . 172
trc.properties . . . . . . . . . . . . . 172 Chapter 29. Configuring target
common.properties . . . . . . . . . . . 208 properties . . . . . . . . . . . . . 259
ldap.properties . . . . . . . . . . . . . 214 Specifying a target IP address for connecting to the
log4j.properties . . . . . . . . . . . . . 219 server . . . . . . . . . . . . . . . . 259
appversion.properties . . . . . . . . . . 222 Specifying an IP address for a windows target 259
controller.properties . . . . . . . . . . . 222 Specifying an IP address for a Linux target . . 260
Joining or Disconnecting a session . . . . . . 260
Chapter 22. Reducing the volume of
target connections to the server . . . 227 Chapter 30. Importing data from other
sources . . . . . . . . . . . . . . 261
Chapter 23. Broker configuration . . . 229 Configuring LDAP . . . . . . . . . . . 261
Configuring the broker properties . . . . . . 229 Setting up LDAP synchronization . . . . . 261
Setting server connection parameters . . . . . 229 Verifying connection information . . . . . . 263
Configuring the broker certificate. . . . . . . 230 Configuring connection credentials . . . . . 264
Allowing endpoints to connect to a broker . . . 230 Connection Security . . . . . . . . . . 265
Support for multiple brokers . . . . . . . . 231 Setting user authentication properties . . . . 266
Logging broker activity . . . . . . . . . . 232 Importing Active Directory Groups . . . . . 269
Configuring optional parameters . . . . . . . 233 Testing the Connection . . . . . . . . . 271
Default configuration parameters . . . . . . . 235 Verifying that groups have been imported . . . 272
Broker setup examples . . . . . . . . . . 239 Sample LDAP Configuration File . . . . . . 272
Import data from csv files into the IBM Endpoint
Chapter 24. Managing brokers . . . . 243 Manager for Remote Control database . . . . . 276
Registering a broker on the server . . . . . . 243 Creating a csv file . . . . . . . . . . . 277
Viewing a list of registered brokers . . . . . . 243 Mapping data in a csv file to the IBM Endpoint
Editing broker details . . . . . . . . . . 244 Manager for Remote Control database. . . . . 277
Deleting a broker . . . . . . . . . . . . 244 Viewing the list of defined Import Templates 280
Changing the details of an Import Template . . 280
Deleting Import Templates . . . . . . . . 280
Chapter 25. Certificate management 245
Importing a csv file . . . . . . . . . . 280
Creating a self signed certificate . . . . . . . 246
Configuring the keystore on the broker. . . . . 247
Using strict verification with self signed certificates 248 Chapter 31. Database table and
Extracting the certificate from the keystore . . 248 column descriptions . . . . . . . . 283
Certificate Authority signed certificates . . . . . 249 ASSET schema tables . . . . . . . . . . . 283
Truststore configuration . . . . . . . . . . 250 COMMON schema tables . . . . . . . . . 291
Adding a certificate to the truststore. . . . . 250
Viewing certificates in the truststore . . . . . 251 Chapter 32. Troubleshooting and Help 305
Editing a trusted certificate . . . . . . . . 251 Recovering when the program is not running . . 305
Deleting a trusted certificate . . . . . . . 251 Login failure . . . . . . . . . . . . . 305
Using log files to solve a problem . . . . . . 305
Obtaining the server log files . . . . . . . 306
Obtaining the controller log files . . . . . . 306
Obtaining the target log files . . . . . . . 307
Obtaining the gateway log files . . . . . . 307
Obtaining the broker log files . . . . . . . 308
Setting up the Trusted Sites zone . . . . . . . 308
Targets unable to contact the server successfully
and a session cannot be established with these
targets. . . . . . . . . . . . . . . . 309
Remotely installed targets cannot contact the server 310
Contents v
Extending the time period before you are logged Scenario 2 - Meshed Networks . . . . . . . 321
out of the server due to inactivity . . . . . . 311 Scenario 3 - Web hosting . . . . . . . . . 323
Gray screen on a Windows 2003 system . . . . 311
Getting Help . . . . . . . . . . . . . 313 Appendix B. Support . . . . . . . . 331
Using the Documentation . . . . . . . . 313
Accessing the IBM Endpoint Manager for
Notices . . . . . . . . . . . . . . 333
Remote Control product documentation . . . 313
Programming interface information . . . . . . 335
Broker troubleshooting and FAQs . . . . . . 313
Trademarks . . . . . . . . . . . . . . 335
Terms and conditions for product documentation 336
Appendix A. Gateway sample
scenarios . . . . . . . . . . . . . 317 Index . . . . . . . . . . . . . . . 337
Overview. . . . . . . . . . . . . . . 317
Scenario 1 - Several networks using Network
Address Translation (NAT) . . . . . . . . . 318
1
However, the IBM Endpoint Manager for Remote Control server provides a
method of centralized, and finer, policy control, where targets can have
different policies that are determined by the user who is trying to start the
remote control session. The Server also provides for centralized audit and
storage of full session automatic recordings. In this scenario, the controller
is not a stand-alone application.but is started as a Java™ Web Start
application from the IBM Endpoint Manager for Remote Control server's
web interface to start the remote control session.
Note: Peer to peer and managed are not exclusive modes. The IBM
Endpoint Manager for Remote Control target can be configured in the
following ways.
v Configured to be strictly managed.
v Configured to fail back to peer to peer mode when the server is not
reachable.
v Configured to accept both peer to peer and managed remote control
sessions.
The secure.url property is prefilled during the installation with the secure url.
When you select the https check box, the following property is set
url=secure.url
When you do not select the https check box the property is set as:
where regular http address is the server IP address that is used for http access.
Disabling http
If during the server installation you select to use https, you can also disable http
completely on the web server by setting the Server Port on Webserver field in the
installer screens, or the HTTP port field in the IBM Endpoint Manager for
Remote Control Server Installer Wizard, to 0.
3
Value Definition
True
Logons from the IBM Endpoint Manager for Remote
Control Server GUI use https. Logons using http
through another tool or page are not prevented.
Https is not shown in the url, but the logon page with
USERID/PASSWORD is posted via https. The
secure.url parameter is used. If this is set incorrectly
the logon will not succeed.
False
Logon via http or https, whichever has been entered in
the browser url.
enforce.secure.alllogon=
Note:
1. The secure.url property must be set with a proper host name, not localhost.
2. The session after the logon, remains in https. Unless other enforce.secure
parameters have been set, there is nothing to stop a user using http for the
duration of the session.
enforce.secure.web.access=
enforce.secure.endpoint.callhome=
enforce.secure.endpoint.upload=
You can change the default certificate by installing your own certificate. For more
information about installing a certificate see, “Installing a certificate.”
where [installdir] is the IBM Endpoint Manager for Remote Control installation
directory.
The configuration for the certificate file is stored in the ssl.xml file in the
following directory.
Windows systems
\[installdir]\wlp\usr\servers\trcserver
Linux systems
/[installdir]/wlp/usr/servers/trcserver
where [installdir] is the IBM Endpoint Manager for Remote Control installation
directory. Any changes to the ssl.xml file are overwritten by configuration changes
when you reinstall or upgrade the IBM Endpoint Manager for Remote Control
server, or rerun trcsetup.cmd.
Installing a certificate
To install a certificate in IBM Endpoint Manager for Remote Control you can either
use an existing P12 or JKS keystore or import an existing certificate into the
existing keystore.
Any changes that are made to the certificate configuration are overwritten if you
reinstall or upgrade the IBM Endpoint Manager for Remote Control server. Choose
the appropriate method to install a certificate for IBM Endpoint Manager for
Remote Control. You can also configure the SSL certificate by using the server
installer. For more information about configuring the SSL certificate during
installation, see the IBM Endpoint Manager for Remote Control Installation Guide
1. To use an existing keystore, complete the following steps:
a. Edit the ssl.xml file.
The following information applies only when you previously used the server
installer to install the IBM Endpoint Manager for Remote Control server with an
embedded WebSphere Application Server 8.5 Liberty Profile.
If you are using the default keystore and key.jks file, back up the following file
and directory.
Windows systems
\[installdir]\wlp\usr\servers\trcserver\resources\security\key.jks
Linux systems
/[installdir]/wlp/usr/servers/trcserver/resources/security/key.jks
where [installdir] is the IBM Endpoint Manager for Remote Control server
installation directory.
If the default keystore file is not in the default directory or you changed the
default keystore password, also back up the ssl.xml file. The file is in the
following location.
Windows systems
\[installdir]\wlp\usr\servers\trcserver\ssl.xml
Linux systems
/[installdir]/wlp/usr/servers/trcserver/ssl.xml
where [installdir] is the IBM Endpoint Manager for Remote Control installation
directory.
password.reuse=
expire.new.password=
password.timeout=
password.timeout.period=
password.check=
password.must.have.non.numeric=
password.must.have.numeric=
password.must.have.non.alphanumeric=
password.min.length=
password.max.length=
password.max.matching.sequential.chars=
password.max.previous.chars=
account.lockout.timeout=
account.lockout.allowlogonfrom=
Examples of usage:
account.lockout = 0
account.lockout.timeout = X
account.lockout=0
account.lockout = 3
account.lockout.timeout =
After three successive failed logons for an account, the account is locked, and
requires a reset via the database or the server UI using an administrator account.
This is a manual reset because account.lockout.timeout is not assigned a value.
account.lockout = 3
account.lockout.timeout = 1HOUR
After three successive failed logons for an account, the account is locked for a
duration of 1hour, but could be reset via the database or the serverUI using an
administrator account.
account.lockout = 3
account.lockout.timeout =
After three successive failed logons for an account, the account is locked, and
requires a reset via the database or the server UI using an administrator account,
or the user can logon from a machine with the IP address set in
account.lockout.allowlogonfrom and the lockout is ignored.
When a user account has been locked, you can unlock the account using the
Unlock locked userid menu item. See Chapter 4, “Unlocking user accounts,” on
page 17.
When a user uses the forgotten password on the logon page, a password is
emailed to the registered user for the account. However if the account is locked, it
remains locked. This is a security precaution to prevent an attacker having
unlimited attempts to guess a password. You can use the property
account.lockout.reset.onemailpassword to automatically unlock an account in
this scenario.
account.lockout.reset.on.emailpassword=
Note: If email AND LDAP are enabled, the forgotten password option is not
displayed.
To obtain a temporary password, complete the following steps on the logon screen:
1. Enter your ID.
2. Click Forgotten password.
3. Click Logon. A message is displayed: A new password has been sent to your
registered email address
4. Logon with your ID and temporary password.
The Edit details screen is displayed where you can change your password.
15
5. Type and confirm your new password.
6. Click Submit.
Your new password is saved. When email is enabled, you can contact the System
Administrator using the link on the logon screen.
Setting up email
To use the email function, a mail server must be installed and set up. By editing
the trc.properties file, you can enable the email function by editing the following
variables:
email.enabled
Set to true to enable email function.
smtp.server
Set this to the address of the mail server.
smtp.authentication
Set to true if you want the SMTP server to authenticate with the smtp ID
and password. Set to false if no authentication is required.
smtp.userid
User IDfor the SMTP server.
smtp.password
Password for the SMTP server.
Logging off from the IBM Endpoint Manager for Remote Control server
To log off from the IBM Endpoint Manager for Remote Control server UI, select
Sign Out. The welcome screen is displayed.
When a user logs on to the IBM Endpoint Manager for Remote Control server with
an incorrect password, their user account is locked if the number of failed logon
attempts exceeds the value assigned to the account.lockout property in the
trc.properties file. For more information about this property, see “trc.properties”
on page 172.
To unlock the user account for one or more users, complete the following steps:
1. Choose the appropriate method to unlock users.
a. To unlock users using the search utility.
v Click Users > Search
v The Search User screen is displayed
v Enter the user information to be used in the search
v Click Submit
v Select the required user and go to step 2
b. To unlock users using the All Users report
v Click Users > All users.
v The list of all defined users is displayed.
v Select the required users.
2. Choose the appropriate action to unlock the users.
v Click Users > Unlock locked userid.
v Select Unlock locked userid from the Action list on the left.
The user account for the selected users is unlocked and they are able to make
another logon attempt.
The following additional user information is also displayed on the Change details
screen when you are editing user details, if the account.lockout property in the
trc.properties file is enabled. For more information about editing user details, see
“Modifying user details” on page 34.
Last failed logon
Shows the date and time of the last failed logon attempt by this user.
Failed logons
Shows the number of failed logons since the last successful logon or since
the user's account was unlocked by an administrator.
Account locked
Displays Yes or No depending on whether the user's account has been
locked because they have reached the limit of consecutive failed logons
defined by the account.lockout property in the trc.properties file.
17
18 IBM Endpoint Manager for Remote Control Administrator’s Guide
Chapter 5. Managing targets and target groups
In the IBM Endpoint Manager for Remote Control system, targets are endpoints
that you install the target software on. The target software identifies the computers
to the IBM Endpoint Manager for Remote Control Server to receive connection
requests, and pass information to and from the server. For more information about
installing the target software, see the IBM Endpoint Manager for Remote Control
Installation Guide.
The targets periodically report back to the IBM Endpoint Manager for Remote
Control Server to let the server know that they are still active and, in particular,
when their state changes. For example, when a user logs on, when a remote
control session is taking place or when the system powers on or shuts down.
When a target is first installed and made known to the server it is automatically
assigned to the default target group and given a default set of policies. You can
decide which set of policies and permissions must be assigned to the target by
making it a member of any relevant target groups. Target groups are created and
assigned specific permissions that are combined with user group permissions to
determine what the target users can do during remote control sessions.
Note: Only a user with Administrator authority sees the Target Groups menu.
Managing Targets
The following actions are available for Administrators to use on targets. For more
information about the features that all users can use on targets, see the IBM
Endpoint Manager for Remote Control Console User's Guide
Delete Target
Use this feature to delete one or more targets from the IBM Endpoint
Manager for Remote Control Server
Manage Group Membership
Use this feature to add a target to a target group.
Deleting a target
You can remove targets from the IBM Endpoint Manager for Remote Control
Server by using the Delete target option.
v If the target is still active and it has the IBM Endpoint Manager for Remote
Control Target service running, it can report back to the server again and it's
details are uploaded to the server, to be displayed in the All Targets list
v If it does report back, any policies or permissions that were set previously are
reset and it is no longer a member of any previously assigned target groups
Removing the target software or stopping the IBM Endpoint Manager for Remote
Control - Target service on the target prevents it from uploading details again.
19
2) In the search field, enter information about the required target.
For example : serial number, computer name, model number, IP address
3) Click Submit.
4) Select the required targets from the list and go to step 2
b. To delete a target using the All Targets report, complete the following steps:
1) Click Targets > All targets.
2) The list of all defined targets is displayed.
3) Select the required targets.
2. Choose the appropriate action to delete the target.
v From the Targets menu select Delete target.
v Select Delete target from the Actions list on the left.
3. On the Confirm deletion screen click Submit.
You can use the Manage group membership feature to add targets to target
groups thus making them members of the selected groups. This action must be
performed after a new target is made known to the server. For more information
about creating target groups, see “Creating target groups” on page 22. For more
information about how policies and permissions are granted for remote control
sessions, see Chapter 8, “How policies are determined for a remote control
session,” on page 63.
You can also assign targets to target groups by creating target membership rules.
The rules can be used to automatically assign targets to specific groups when they
contact the IBM Endpoint Manager for Remote Control server. For more
information about target membership rules, see “Using rules to define target
membership” on page 125.
To add a target to one or more target groups, complete the following steps:
1. Choose the appropriate step to select a target:
a. Select by using the search utility
1) Click Targets > Search
2) In the search field, type in some specific or non-specific information
about the targets.
For example, targets used by the one department might need to be in the same
target group. You can select all of these targets and assign them to the relevant
target group or groups at the same time, which is more efficient than assigning
each target individually.
Assign multiple targets to target groups by using one of the following options that
can be used when you define the group tree hierarchy.
replace
The selected targets become members of the group or groups that you
select within manage group membership. Their membership to any other
groups is replaced by the target groups that are selected here.
For example: Target1 and target2 are members of targetgroup1 and
targetgroup2. Select these targets from the target list and then select
Manage Group Membership. From the list of groups that are displayed,
select targetgroup3 and the replace option. Target1 and target2 are no
longer members of targetgroup1 or targetgroup2 and are only members of
targetgroup3.
add The selected targets are now also members of the group or groups that you
select within manage group membership.
For example: In the example that is used in the replace option, if
targetgroup3 is selected with the add option, target1 and target2 are now
members of targetgroup1, targetgroup2, and targetgroup3.
delete The selected targets are removed from the groups that you select within
manage group membership.
To assign multiple targets to one or more target groups, complete the following
steps:
1. Choose the appropriate method for selecting a target
a. Select by using the search utility
v Select Targets > Search.
v Type in some relevant information for retrieving the target data.
v Click Submit.
v Select the targets and then go to step 2.
You can click Reset to clear the value that is entered in the search field.
b. Select by using the All targets report.
v Click Targets > All targets.
v Select the relevant targets from the list.
2. Choose the appropriate way to select Manage Group Membership
v Click Targets > Manage Group Membership.
v Select Manage Group Membership from the Actions list on the left.
The Manage User Group Membership screen is displayed listing all defined
target groups and sub groups.
3. From the group list, select the relevant target groups. Any groups with a + sign
can be expanded to select sub groups also.
4. Select one of the following options:
v replace current group membership
v add to current group membership
v delete from current group membership
5. Click Submit.
The group membership for the multiple selected targets is defined by the option
that is selected in step 4.
For more information about starting remote control sessions, see the IBM Endpoint
Manager for Remote Control Installation Guide. When a new target is defined in the
IBM Endpoint Manager for Remote Control Server, it automatically becomes a
member of the default target group, however the Administrator must assign the
target to relevant target groups.
A target can be a member of multiple groups. Policies and permissions are defined
for a target group when it is created. A permissions link must be created between
the target group and a user group. The policies and permissions that are defined in
the permission link and any other links that are defined in the group hierarchy, are
Value Description
Never Do not apply the workaround.
At session start Reset the Windows session when a remote
control session is started.
Note: The Windows session takes a couple
of minutes to initialize and the controller
user sees a blank desktop until the
initialization is complete.
After console is logged out Reset the Windows session when the
Remote Desktop user logs out.
For more information about this attribute, see “Gray screen on a Windows 2003
system” on page 311.
Note: For more information about server policies, see Chapter 7, “Server
session policies,” on page 47.
Yes The policy is valid for members of this target group and therefore
its value is considered when the permissions are combining in
Manage Permissions.
No The policy is not valid for members of this target group but its
value is also considered when the permissions are combined in
Manage Permissions.
Not Set
No value is set and therefore it is not considered when the
permissions are combined in Manage Permissions because this
option is overridden by all others. For more information about
how permissions are assigned, see Chapter 8, “How policies are
determined for a remote control session,” on page 63.
c. The new permissions set can be saved in the following ways:
– Save existing template
Select this option to save the changes to the template name that is
displayed in the template list.
– Save as new template named
Select this option to save the changes to a new template.
d. Click Submit.
To list all members of a selected target group, complete the following steps :
1. Choose the appropriate method for selecting all target groups
a. Select using the search utility
v Follow the steps in“Searching for target groups” on page 29 then return
to here
v Select the required target group then go to step 2
b. Select using the All Target groups report
v Click Target groups > All target groups.
v The list of all defined target groups is displayed.
v Select the required target group.
2. Choose the appropriate way to select List Members.
v Select Target Groups > List Members
v Select List members from the Action list on the left
The list of members for the selected target group is displayed, showing any target
groups as well as targets that are members of the selected group.
Note:
1. Click Cancel from the List Members screen to return to the previously
displayed screen
Note: Click Cancel on the Confirm Deletion screen to return to the previously
displayed screen and the target groups are not deleted.
Note: It is important to note that if the policy values are changed for a group, the
new policies will only be valid for this group when any NEW permissions links,
between this target group and a user group, are created in manage permissions.
For creating permissions links, see Chapter 8, “How policies are determined for a
remote control session,” on page 63. Any existing links already defined in manage
permissions for this target group, will keep the policy values that were set for the
group when the link was created.
Note:
1. Click Cancel to return to the previously displayed screen.
Note:
1. Click Cancel to return to the previously displayed screen and the target is still
be a member of the selected target Group.
2. The above steps remove a target from a target group, the same steps would
apply for removing a target group from a target group.
Note: You can confirm the removal by performing List Members on the selected
target group. see “Viewing the members of a target group” on page 25. The
selected target, is not displayed in the list.
Note: You can confirm the removal by performing List Members on the selected
target group. see “Viewing the members of a target group” on page 25. The
members list should be empty.
Note:
a. The group hierarchy can be created with target groups being members of
target groups therefore some target groups in the list may have a plus sign
in front of them which can be expanded. You can expand it to show the
target group members of this target group. For details of how the group
hierarchy is used, when determining the policies and permissions that are
assigned when a remote control session is requested, see Chapter 8, “How
policies are determined for a remote control session,” on page 63
b. A target group can be a member of multiple target groups. For creating
target groups see “Creating target groups” on page 22
c. You can assign multiple target groups to other target groups at the same
time, see “Assigning multiple targets to target groups” on page 21 and
follow this procedure selecting multiple target groups.
4. Click Submit.
Note:
Note: The information entered is not case sensitive - Test will also match on
test
v If no matching target groups are found, a message is displayed and the target
group list is blank.
Note:
1. Click Reset on the Search screen to clear values or return to previous values on
the input screen.
2. Click Cancel on the Search screen to return to the previously displayed screen.
3. If nothing is entered in the input field and Submit is clicked, the list of all
target groups is displayed.
The following table illustrates each user account and highlights the authority that
is given to each account.
31
User Account Types of functions
Administrator Can do the same tasks as a user and super user and also more
advanced functions. Unlike the user and super user, they are not
(User +, Super User+) limited to just viewing their own details but can view details for
all users. Also, responsible for maintaining and modifying user and
target groups and for managing permissions that are granted to
those groups. A user with administrator authority can do the
following extra actions:
v Edit and delete targets.
v Create, delete, and manage users.
v Create, delete, and manage user groups.
v Create, delete, and manage target groups.
v Create and run various reports on users, sessions, targets, and
server.
v Various types of data importing. For example, from LDAP or by
using import templates
v Property file editing.
v Search for targets and users.
v View the application log and server status.
Note:
1. Click Reset to clear or change back to previous values any changes made to the
input screen.
The All Users screen is displayed listing all users defined in the system.
To set the authority level of a user account, complete the following steps :
1. Choose the appropriate method for displaying the user.
a. To select the user using the search utility
v Follow the steps in “Searching for users” on page 36 to display the
required users.
v Select the user then go to step 2
b. To select the user using the All User report
v Click Users > All users
v The list of all defined users is displayed
v Select the required user.
2. Choose the appropriate method for selecting Edit User.
v Click Users > Edit User
v Select Edit User from the Action list on the left
The Change Details screen is displayed.
Note:
1. Click Reset to clear or change back to previous values, any changes made to
the input screen
2. Click Cancel to return to the previously displayed screen
Note: If this user account has been locked previously due to the
number of allowed failed logon attempts being exceeded, the number
shown for failed logons denotes the number of failed attempts since the
last time the account was unlocked.
Account locked
Displays Yes or No depending on whether the users account has been
locked because they have reached the limit of consecutive failed logons
defined by the account.lockout property in the trc.properties file.
Note:
1. Click Reset to clear or change back to previous values any changes made to the
input screen
2. Click Cancel to return to the previously displayed screen
Removing users
After users have been created you can remove them if they are no longer required.
Use the Delete user function to remove them. If there are many users defined in
the system, using the search utility will provide a quicker route to the required
users.
Note: Click Cancel on the Confirm deletion screen to return to the previously
displayed screen and the users are not deleted.
To unlock the user account for one or more users, complete the following steps :
1. Choose the appropriate method for displaying the users.
a. To unlock users using the search utility
v Follow the steps in “Searching for users” on page 36 for diaplying the
required users.
v Select the required user then go to step 2 on page 36
b. To unlock users using the All Users report
v Click Users > All users.
v The list of all defined users is displayed.
The user account for the selected users are unlocked and they are able make a new
logon attempt.
The Session History screen is displayed listing the sessions that have been started
by the selected users, with the most recent session first in the list.
Note:
1. Click Reset on the Search screen to clear or change back to previous values,
any changes that are made to the input screen
2. Click Cancel on the Search screen to return to the previous screen.
When a new user is defined in IBM Endpoint Manager for Remote Control Server
they automatically become a member of the DefaultGroup. You can also assign the
user to other user groups.
Note:
1. A user can be a member of multiple groups.
2. It is important to note that, although policies and permissions are defined for
the user group when it is created, this is not the set of policies that is applied
in a remote control session between members of this user group and members
of a target group. A permissions link MUST be created between the user group
and a target group and it is the policies and permissions defined in this link, as
well as any other links defined in the group hierarchy, that are used to derive
the set of policies for the session. For more details, see Chapter 8, “How
policies are determined for a remote control session,” on page 63.
Note: For definitions and default and possible values for these policies,
seeChapter 7, “Server session policies,” on page 47.
Yes This policy is valid for members of this user group and therefore
its value is considered when combining the permissions in
Manage Permissions.
No This policy will not be valid for members of this user group but
its value will also be considered when combining the
permissions in Manage Permissions.
Not Set
No value is set and therefore it is not considered when
combining the permissions in Manage Permissions as this option
is overridden by all others. For details of how permissions are
assigned, see Chapter 8, “How policies are determined for a
remote control session,” on page 63.
3) The new permissions set can be saved in one of two ways
v Save existing template
Select this option if you want to save the changes made to the
template name that is displayed in the template list.
v Save as new template named
Select this option if you want to save the changes made to a new
template. Enter a name for the new template.
4) Click Submit.
Note:
1) Click Cancel to return to the previously displayed screen and the user
group is not created.
Note:
1. Click Cancel to return to the previously displayed screen.
Do this by using one of the three following options when defining the group tree
hierarchy.
replace
The selected users become members of the groups you select within
manage group membership. Their membership to any other groups is
replaced by the user groups that are selected here.
For example: user1 and user2 are members of usergroup1 and usergroup2.
Select the users from the user list and then select manage group
membership is selected. From the list of groups that are displayed,
select usergroup3 and the replace option. user1 and user2 are no longer
members of usergroup1 or usergroup2 and are only members of usergroup3.
add The selected users are now also members of the groups that you select
within manage group membership.
For example: in the example used in the replace option, if usergroup3
is selected with the add option, user1 and user2 are now
members of usergroup1, usergroup2 and usergroup3.
delete The selected users are removed from the groups that you select within
manage group membership.
For example: user1 and user2 are members of usergroup1 and usergroup2.
Selected these users from the user list, then select manage group
membership is selected. usergroup2 is selected from the group list
within manage group membership along with the delete option. user1
and user2 are still members of usergroup1 but are no longer members
of usergroup2.
To assign multiple users to one or more user groups complete the following steps :
Note:
1) Click Reset to clear the value entered into the search field.
2) Click Cancel to return to the previously displayed screen and the search
is not performed.
b. Select using the All users report.
v Click Users > All users.
v Select the required users from the list.
2. Choose the appropriate method for selecting Manage Group Membership
v Click Users > Manage Group Membership.
v Select Manage Group Membership from the Actions list on the left.
The Manage User Group Membership screen is displayed listing all defined
user groups and sub groups.
3. From the group list select the required user groups. Any groups with a + sign
can be expanded to select sub groups also.
4. Select one of the following options :-
v replace full group membership
v add to current group membership
v delete from current group membership
5. Click Submit.
The group membership for the multiple users is defined by the option selected in
step 4.
To view all user groups click User Groups > All User groups.
To list all members of a selected user group, complete the following steps :
1. Choose the appropriate method for displaying the user group
a. Select using the search utility.
v Follow the steps in “Searching for user groups” on page 45 to display the
user group.
v Select the required user group then go to step 2
b. Select using the All User Groups report
v Click User groups > All User Groups.
v The list of all defined user groups is displayed.
v Select the required user group.
2. Choose the appropriate method for listing the group members.
v Click User Groups > List Members
v Select List members from the Action list on the left.
The list of members for the selected user group is displayed showing any user
groups as well as users that are members of the selected group.
Note:
1. Click Cancel from the List Members screen to return to the previously
displayed screen.
Note: Click Cancel on the Confirm Deletion screen to return the application to the
previously displayed screen and the user groups are not deleted.
Note: It is important to note that if the policy values are changed for a group, the
new policies will only be valid for this group when any NEW permissions links,
between this user group and a target group, are created in manage permissions.
For creating permissions links, see Chapter 8, “How policies are determined for a
remote control session,” on page 63. Any existing links already defined in manage
permissions for this user group, will keep the policy values that were set for the
group when the link was created.
Note:
1. Click Cancel to return to the previously displayed screen
Note:
1. Click Cancel to return to the previously displayed screen and the user remains
a member of the selected user group.
Note: Use the List Members function on the selected user group to confirm the
removal. For more details, see “Viewing the members of a user group” on page 41.
Note: Use the List Members function on the selected user group to confirm the
removal. For more details, see “Viewing the members of a user group” on page 41.
Note:
a. A group hierarchy can be created with user groups being members of user
groups. Some user groups in the list might have a plus sign next to their
name. Click the group names to show its user group members. For details
of how the group hierarchy is used when determining the policies and
permissions that are assigned when a remote control session is requested,
see Chapter 8, “How policies are determined for a remote control session,”
on page 63.
b. A user group can be a member of multiple user groups. For creating user
groups, see “Creating user groups” on page 37.
c. Multiple user groups can be assigned to user groups at the same time.
4. Click Submit.
Note:
1. Click Cancel on the Manage Group Membership screen to return to the
previously displayed screen. The user group is not assigned to the selected user
groups.
Note: The information entered is not case sensitive - Test will also match on
test
v If no matching user groups are found, a message is displayed and the user
group list is blank
Note:
1. Click Reset on the Search screen to change the input screen values back to their
previous values.
2. Click Cancel on the Search screen to return to the previously displayed screen.
3. If nothing is entered in the input field and Submit is clicked, the list of all user
Groups is displayed
For more information about groups and policies, see the following sections.
v “Creating user groups” on page 37
v “Creating target groups” on page 22
v Chapter 8, “How policies are determined for a remote control session,” on page
63
Policy list definitions
Security policies
Reboot
To send a restart request to the target computer so that it can be restarted
remotely. Determines whether Reboot is available as a session mode option
on the start session screen. For more information about session types, see
the IBM Endpoint Manager for Remote Control Controller User's Guide.
Set to Yes
Reboot is shown as an option on the start session screen.
Set to No
Reboot is not shown as an option on the start session screen.
Allow multiple Controllers
To enable collaboration so that multiple controllers can join a session.
Determines the availability of the collaboration option on the controller
window. For more information about collaboration sessions that involve
multiple participants, see the IBM Endpoint Manager for Remote Control
Controller User's Guide.
Set to Yes
The collaboration icon is available for selection in the controller
window.
Set to No
The collaboration icon is not active in the controller window.
Allow local recording
To make and save a local recording of the session in the controlling system.
Determines the availability of the record option on the controller window.
For more information about recording sessions, see the IBM Endpoint
Manager for Remote Control Controller User's Guide.
Set to Yes
The record option is available for selection in the controller
window.
Set to No
The record option is not active in the controller window.
47
Set target locked
Determines whether the local input and display is locked for all sessions.
Therefore, the target user cannot use the mouse or keyboard on the target
while in a remote control session.
Set to Yes
The target screen is blanked out when the session is started,
preventing the target user from interacting with the screen while in
the session. The target desktop is still visible to the controller user
in the controller window.
Set to No
The target screen is not blanked out when the session is started
and the target user is able to interact with the screen.
Allow input lock
Determines whether the controller user can lock the local input and
display of the target when in a remote control session. Determines the
visibility of the Enable Privacy option on the controller window.
Set to Yes
The Enable Privacy option is available in the Perform Action in
target menu in the controller window. For more details of the
controller window functions, see the IBM Endpoint Manager for
Remote Control Controller User's Guide.
Set to No
The Enable Privacy option is not available in the Perform Action
in target menu in the controller window.
Connect at Logon
Determines whether a session can be started when no users are logged on
at the target.
Set to Yes
Session is established with the target.
Set to No
Session is not established and a message is displayed.
Use Encryption
Determines whether to encrypt the data that is being transmitted.
Disable Panic Key
Determines whether the Pause Break key can be used by the target user to
automatically end the remote control session.
Set to Yes
The target user cannot use the Pause Break key to automatically
end the remote control session.
Set to No
The target user can use the Pause Break key to automatically end
the remote control session.
Enable On-screen Session Notification
Determines whether a semi-transparent overlay is shown on the target
computer to indicate that a remote control session is in progress. Use this
policy when privacy is a concern so that the target user is clearly notified
when somebody is remotely viewing or controlling their computer.
Set to Yes
The semi-transparent overlay is shown on the target screen with
Note: If Enable Privacy is selected, during a session, the remote user input
is automatically locked. It is not possible to enable privacy without also
locking the input.
Display screen on locked target
Works along with Set target locked, which you can use to enable privacy
mode at session startup. You can use Display screen on locked target to
determine whether the target user can view their screen or not during a
remote control session, when privacy mode is enabled.
Set to Yes
In privacy mode, the target screen is visible to the target user during the
session, but their mouse and keyboard control is locked.
Set to No
In privacy mode, the target screen is not visible to the target user and the
privacy bitmap is displayed during the session. The target users mouse
and keyboard input is also disabled.
Note: For Display screen on locked target to take effect set Set target
locked to Yes.
Denied Program Execution List
To specify a list of programs that a controller user cannot run on the target
during an active session with the target. These programs must be entered
as a comma-separated list. The following points must be noted.
Note:
1. This feature works only on the following operating systems
v Windows 2000, all editions
v Windows XP, 32-bit editions only
Note: Set the value to 0 for sessions that do not involve sending or
receiving information from the controller to the target. For example in
Monitor sessions.
Auditing
Force session recording
All sessions are recorded and the session recordings are uploaded and
saved to the server.
Set to Yes
A recording of the session is saved to the server when the session
ends. A link for playing the recording is also available on the
session details screen.
Set to No
No recording is stored and therefore no link is available on the
session details screen.
Local Audit
Use to create a log of auditable events that take place during the remote
control session. The log is created on both the controller and target
computer.
Set to Yes
The trcaudit log file is created and stored on the controller
computer in the home directory of the currently logged on user.
The log can be viewed on a Windows target computer by using the
event viewer. To access the Application Event Viewer click Start >
Control Panel > Administrative Tools > Event Viewer >
Application. On a Linux target, the events are stored in the
messages file that is in the /var/log directory.
Set to No
No log is created or stored on the controller or target computer.
Note: This policy is only valid if Record the session in the target system
is set to Yes.
Set to Yes
If Record the session in the target system is set to Yes and the session
recording is successfully uploaded to the IBM Endpoint Manager for
Remote Control Server, a copy of the recording is also saved on the target
system.
Set to No
If Record the session in the target system is set to Yes and the session is
recorded, a copy of the recording is not saved on the target system.
Record the session in the target system
Determines whether the session recording is done on the target system
instead of the controller, when the Force session recording policy is also
set to Yes.
Set to Yes
The session is recorded on the target and uploaded to the IBM Endpoint
Manager for Remote Control Server.
Note: If you set this policy to Yes, you must make sure that you
define registry keys in the trc.properties file. Otherwise, if you
click the menu item, nothing is shown.
Set to No
The defined list of registry keys is not visible in the Registry keys
menu.
Enable user acceptance for system information
Use this policy to display the user acceptance window on the target
computer when the controller user selects to view the target system
information.
Set to Yes
When the controller user clicks the system information icon in the
controller window, the user acceptance window is displayed. The
target user must accept or refuse the request to view the target
system information. If the target user clicks accept, the target
system information is displayed in a separate window on the
controller system. If they click refuse, a message is displayed on
the controller and the system information is not displayed.
Set to No
The target system information is displayed automatically when the
controller user clicks the system information icon.
Enable user acceptance for file transfers
Use this policy to display the user acceptance window on the target
computer when the controller user wants to transfer a file from the target
to the controller system.
Note: This policy works along with Acceptance Grace Time and
Acceptance timeout action.
Set to Yes
The acceptance window is displayed and the target user has the
number of seconds defined for Acceptance Grace time to accept or
refuse the session.
Note:
1. The target user can also select a different session mode on the
User Acceptance window.
2. The target user can hide any running applications by choosing
the Hide applications option on the acceptance window. For
more information about hiding applications, see the IBM
Endpoint Manager for Remote Control Controller User's Guide.
3. When set to Yes, the Acceptance Grace time must be > 0 to give
the target user time to accept or refuse the session
Accept
The session is established.
Refuse
The session is not started and a message is displayed.
Note: The installer creates the script directory with access just
for administrators and localsystem on a Windows system and
for read/write/execute just for root on a Linux system.
v Ensure that the scripts end within 3 minutes. If they run for
longer, they cannot return a valid execution code. The
administrator at the controller is notified that the timeout
elapsed and an error occurred. The execution code indicates
whether the script did run.
v Define a non-negative (greater than or equal to 0) exit code for
the script to indicate that the script ran with success and a
negative exit code to indicate that it ran with errors. Whenever
an error occurs a message is reported to the controller. The exit
code is shown and session fails to start.
Environment Variables
Note: After the target user accepts the request for recording, if the
controller user stops and restarts local recording, the acceptance window is
not displayed.
Set to No
When the controller user clicks the record icon on the controller window,
the message window is not displayed. The controller user can select a
directory to save the recording to.
Hide windows
Determines whether the Hide windows check box is displayed on the user
acceptance window when Enable user acceptance for incoming
connections is also set to Yes.
Set to Yes
The Hide windows check box is displayed on the user acceptance window.
Set to No
The Hide windows checkbox is not displayed on the user acceptance
window.
Remove desktop background
Determines whether a desktop background image can be removed from
view during a remote control session.
Set to Yes
The desktop background image on the target is not be visible
during a remote control session.
Set to No
The desktop background image on the target is visible during a
remote control session.
Lock color depth
Determines whether the color depth that a remote control session is started
with can be changed during the session. Used along with Enable true
color.
Set to Yes
The initial color depth, for the remote control session, is locked and
cannot be changed during the session. The Enable true color icon
is disabled in the controller window.
Set to No
The initial color depth can be changed during the session.
Pre/post - script fail operation
Action to take if the pre-script or post-script execution fails. A positive
value or 0 is considered a successful run of the pre-script or post-session
script. A negative value, script that is not found or not finished running
within 3 minutes is considered a failure.
Abort If the pre-script or post-script run is a fail, the session does not
continue.
Proceed
If the pre-script or post-script run is a fail, the session continues.
Users and targets are assigned to groups that have policies and permissions
defined. The permissions defined in these groups are known as their standard or
normal set of permissions.
Due to the group hierarchy that can be set up, users and targets can be members
of groups and user groups and target groups can also be members of other groups.
This means that when a remote control session is requested, the permissions sets
that are defined for immediate user to target group relationships, and permissions
sets defined for relationships between parent and grandparent groups are all
considered when determining the policies for the session.
When all required user and target groups have been created and their membership
has been defined, you should create relationships between the user and target
groups. This will determine what policies and permissions are applied during a
remote control session. Use the Manage Permissions function to create these links
between the groups.
Note: It is important for you to set up these groups and relationships in a way
that will not lead to unexpected policy values.
.
Note: It should be noted that after a permissions link has been created between a
user group and target group, the only way to change the policies for a session
between members of these two groups is to edit this link. Editing the policies,
63
through the Edit group function, will have no affect on the policies and
permissions defined in the existing link in Manage Permissions. It will only affect
the policies considered for the group when any NEW permissions links are created.
Members of UG1 can carry out Guidance and Monitor Sessions but are not
allowed to perform a Reboot of the target.
For example : target group TG1
Members of TG1 can accept Guidance and Monitor Sessions and are allowed to
accept a Reboot request.
So using the example user and target group above, the following policy values,
would be automatically applied to the standard permissions set when UG1 and
TG1 are selected on the Manage Permissions screen.
UG1 ↔TG1
Table 2. Standard Permissions
Manage Permissions
UG1 TG1 set
Guidance Yes Yes Yes
Monitor Yes Not Set Yes
Reboot No Yes No
Note: The procedure given here selects the target group first, it can also be
performed by selecting the user group first.
1. Click Target groups > All Target groups or use the search facility. For more
details, see “Searching for target groups” on page 29
2. Select the required target group. For example, DefaultTargetGroup.
3. Click Manage Permissions. The Manage Permissions screen is displayed.
4. Choose the appropriate method for creating the permissions link.
v Using the Group Browser. Use this option the first time a permissions link is
created.
– Click the selector button next to user group then select the required user
group from the list. For example, DefaultGroup.
– Click the selector button.
– Click the selector button next to target group then select the required
target group from the list. For example, DefaultTargetGroup.
– Click the selector button.
v Using an Existing profile.
– Select Existing Profile
– Select the required user to target group link from the list.
– Click the selector button.
The set of permissions and their selected values, derived from the combination
of standard policies defined for the selected user and target group, is displayed.
5. To activate the policies click the Enabled checkbox at the top of the Enabled
Column to enable all of the policies or click the enabled checkbox next to each
required policy. If not all of the policies are required deselect the enabled
checkbox next to each non required policy.
Note:
a. Click Cancel on the Manage Permissions screen to return to the previously
displayed screen and the Permissions link is not created.
Note: It is important to note that it is the link between the user group and target
group that is deleted, the policies and permissions that are set specifically for the
user group and target group are not affected when the permissions link is deleted.
The next thing that is determined is what permissions links have been created
between any of these group. Using the set of rules defined below, the permissions
for the session are derived.
v No grandparent group - this can be broken into two categories
user and target are only members of one user and target group
the policies for the session are set from the one permissions link that is
defined for their parent user group and target group combination.
user and target are also members of other user and target group
the policies for the session are derived from comparing the multiple
permissions links that are defined for any parent user group and target
group combinations.
Where multiple permissions links are present within the group hierarchy, the value
set for each enabled policy, within each link, is checked and the rules governing
the policy permissions for the session are defined as follows :
Priority 5 No
If a policy in any of the relevant permissions links has this value set, the
value set for the session is priority 5 No. This value overrides all other
values.
Priority 1 No
This value is set for the session if are no priority 5 values set in any
existing permissions links.
Priority 0 No
This value is set for the session if there are no priority 1 or 5 values set for
any of the existing permissions links.
Priority 5 Yes
This value is set for the session if there are no priority 5 No values set for
any of the existing permissions links. Priority 5 Yes overrides any lower
priority No.
Priority 1 Yes
This value is set for the session if there are no priority 5 values or priority
1 no values set for any of the existing permissions links.
Priority 0 Yes
This value is set for the session if there are no higher priority values set or
a priority 0 No set for any of the existing permissions links.
There are no specific rules for these policies BUT the following should be noted
v If there are multiple values for these set within permissions links, within the
group hierarchy, the final set of policies will inherit one of these values BUT it is
not defined which one.
v More importantly, if a policy is NOT defined in any permissions links in the
group hierarchy, default values, defined in the trc.properties file (see
“trc.properties” on page 172 ) will be assigned .
Note: If non binary policies have been enabled in the group hierarchy but no
values have been assigned to them, the values defined in trc.properties will
NOT be assigned, therefore it is important to note that if you enable a non
binary policy you should also assign a value to it.
4 user groups U1 – U4
5 target groups T1 – T5
users X and Y
targets A and B
The following gives the actions and steps that would be required to set up the
users, targets, user groups and target groups used in the examples, to show how
policies and permissions are derived for a session.
1. Create the required users X and Y
a. Click Users > New.
b. You would then enter relevant details for user X and click Submit.
The above steps would be repeated for user Y.
2. Create the required user group U1 to U4 -
a. Click User groups > New user group.
b. Type in U1 for the group name.
c. Click Submit to accept the default template.
The above steps would be repeated for group U2, U3 and U4.
3. Assign user or user group members to the user group
v Make user X a member of group U3
a. Click Users > Search.
b. Type in the userid or some other relevant information for user X.
c. Select the entry for user X then click Manage Group Membership.
d. In the user group list select U3 then click Submit.
Note: Make sure that U3 is the only user group that is selected.
v Make user Y a member of group U4
a. Click Users.
b. Click Search then type in the userid or some other relevant information
for user Y.
c. Select the entry for user Y then click Manage Group Membership.
d. In the user group list select U4 then click Submit.
Note: Make sure that U4 is the only user group that is selected.
v Make groups U3 and U4 members of U2
a. Click User groups.
b. Click Search then type in U.
c. Click Submit
d. Select the entries for U3 and U4 then click Manage Group Membership
e. In the user group list select U2.
Note: Make sure that U2 is the only user group that is selected.
Note: Make sure that T4 is the only target group that is selected.
v Make target B a member of group T5
a. Click Targets.
b. Click Search then type in the serial number or some other relevant
information for target B.
c. Select the entry for target B then click Manage Group Membership.
d. In the target group list select T5 then click Submit.
Note: Make sure that T5 is the only target group that is selected.
v Make group T4 and T5 members of T2
a. Click Target groups.
b. Click Search then type in T.
c. Click Submit.
d. Select the entries for T4 and T5 then click Manage Group membership.
e. In the target group list select T2.
Note: Make sure that T2 is the only target group that is selected.
f. Select add to current group membership.
g. Click Submit.
v Make T2 and T3 members of T1
a. Click Target groups.
b. Click Search then type in T.
c. Click Submit.
d. Select the entries for T2 and T3 then click Manage Group Membership.
Note: Make sure that T1 is the only target group that is selected.
f. Select add to current group membership.
g. Click Submit.
6. Permissions links would then be created between specific user and target
group remembering to enable all required policies- We will create the links in
each example below.
The following figure shows the group hierarchy that we have created.
The group
U1 hierarchy T1
U2 T2 T3
U3 U4 T4 T5
X Y A B
The following figure shows the group hierarchy and permissions links
U2 T2 T3
U3 U4 T4 T5
X Y A B
Using Figure 2 and the policy engine process explained above, there are parent and
grandparent groups, however there is only one permissions link defined in the
group hierarchy between U1 and T1. It is the policies and their values within this
link that are assigned for a remote control session. The resultant permissions set
will allow users X and Y to only initiate Chat sessions with targets A and B.
Note: Monitor is set to No because the priority 0 No value that was set for group
U1 overrides the priority 0 Yes value that was set for group T1.
Priority 0
Priority 0
Priority 0 Chat Yes
Chat Yes
Chat Yes U1 Monitor No
T1 Monitor Yes
Monitor Yes
U2 T2 T3
U3 U4 Priority 1 T4 T5
Chat No
Monitor Yes
X Y A B
Using Figure 3 and the policy engine process, explained above, there are parent
and grandparent groups and there are multiple permissions links defined in the
group hierarchy. The following permissions is applied for each example session.
Session with user X and target A
The only permissions link considered for these two entities is the one
between U1 and T1 because user X is NOT a member of U4. Therefore
user X can only initiate a Chat session with target A.
Session with user X and target B
A similar explanation to the one above. Only the link between U1 and T1
Note: The same explanation as above would be applied if the priority values set in
the U4⇔T4 link had been set to 5 as priority 5 overrides 1 and 1 overrides 0.
In Figure 4 on page 76 there are parent and grandparent groups, and there are
multiple permission links defined in the group hierarchy. The following
permissions are applied for each example session.
U2 T2 Priority 0 T3
Chat No
U3 U4 Priority 1 T4 T5
Chat No
Monitor Yes
X Y A B
Note: The standard set for T2 has Chat set to priority 0 No which would
override standard Yes, if it was a link BUT because we did not create a
permissions link with T2 and any other group, it's values are not
considered as it is only the policy values in permissions links that are
inherited.
Session with user X and target B
A similar explanation to the one above. Only the link between U1 and T1
is considered as user X is not a member of U4 and target B is NOT a
member of T4. Therefore user X can only initiate a Chat session with target
B. Similar explanation as the T2 permissions.
Session with user Y and target A
There are two permissions links to be considered this time U1 to T1 and
U4 to T4. Therefore user Y can only initiate a Monitor session with target A
as the priority 1 value set in the link between U4 to T4 overrides the
priority 0 value set in the link between U1 and T1. Again T2 policies and
permissions are not considered as there are no permissions links set up
between it and any other groups.
Priority 0
Chat Yes U2 Priority 0 T2 Priority 0 T3
Chat No Chat No
U3 U4 Priority 1 T4 T5
Chat No
Monitor Yes
X Y A B
Using Figure 5 and the policy engine process explained above, there are parent and
grandparent groups, and there are multiple permissions links defined in the group
hierarchy . The following permissions is applied for each example session
Session with user X and target A
There are two permissions links to be considered for these two entities, the
link between U2 and T2 and the link between U1 and T1. Both links have
priority 0 permissions set, U2 ⇔ T2 has Chat set to priority 0 No and U1
⇔ T1 has Chat set to priority 0 Yes, therefore user X cannot initiate a Chat
session or a Monitor session with target A as the priority 0 No for Chat in
U2 to T2 overrides the priority 0 Yes for Chat in U1 to T1.
Note: It should also be noted that the same explanation would have applied if the
priority for Yes and No had both been 1 or 5. No will override Yes when the
priority values are the same.
Priority 0
Chat Yes U2 Priority 0 T2 Priority 0 T3
Chat No Chat No
U3 U4 Priority 1 T4 T5
Chat Yes
Monitor Yes
X Y A B
Using Figure 6 and the policy engine process explained above, there are parent and
grandparent groups, and there are multiple permissions links defined in the group
hierarchy. The following permissions is applied for each example session
Session with user X and target A
There are two permissions links to be considered for these two entities, the
link between U2 and T2 and the link between U1 and T1. Both links have
priority 0 permissions set, U2 and T2 have Chat set to No and U1 and T1
have Chat set to Yes, therefore user X cannot initiate a Chat session or a
Monitor session with target A as the priority 0 No for Chat in U2 to T2
overrides the priority 0 Yes for Chat in U1 to T1.
Note: The same explanation would have applied if the priority value had been set
to 5 in the U4 ⇔T4 link. Priority 5 overrides 1 and 1 overrides 0.
In summary
v Users and targets MUST be members of user and target groups to be able to
establish Remote Control Sessions.
v Permissions links MUST be set up between the relevant user and target groups.
v All required policies MUST be enabled in the permissions links.
v If there is only one permissions link defined in the group hierarchy it is the
policies and permissions defined in this link that will be assigned to the Remote
Control Session.
v If there are multiple permissions links defined in the group hierarchy the final
set is derived from these links using the following rules
– Priority 5 No overrides all other values.
– Priority 5 Yes overrides priority 0 or 1 No.
– Priority 1 No overrides priority 0 or 1 Yes.
– Priority 1 Yes overrides priority 0 No
– Priority 0 No overrides priority 0 Yes
v Changing policy values via Edit group will NOT affect the policy values for the
group in any existing permissions links, only in any NEW permissions links,
therefore it will be of more benefit if the changes are made in the permissions
links in Manage Permissions.
To create a set of permissions complete the following steps in the IBM Endpoint
Manager for Remote Control Server:
1. Click Admin > New Permission Set. The Edit Permission Set screen is
displayed.
2. Type in a name for the permissions set in the Set Name field.
3. Choose the appropriate method for enabling the required policies
v to enable every policy click Enabled at the top of the column
v select the check box next to each required policy
83
Set to No
The policy will not be in effect during the temporary session depending
on the priority that is set for it.
You have now created a set of policies and permissions that can be selected
whenever you are granting a temporary access request so that you can enable and
set values for specific policies without having to manually select each one.
To view the list of permissions sets click Admin > All Permission Sets.
The View Permissions Sets screen is displayed listing all defined permissions sets.
The changes made are now saved to the selected set of permissions.
Note: Click Cancel to leave the Edit Permission Set screen. The information for the
selected set of permissions is not modified.
Note: Click Cancel to leave the View Permissions Sets screen and the selected
permissions sets are not removed.
Note: It is important to note that the email functionality must be enabled in order
for the notification process to take place. For more details, see “Setting up email”
on page 16.
Display the Outstanding requests list to view this new request and determine its
outcome by performing one of the following actions
v Grant
v Deny
v Delete
87
Allowing temporary access can be carried out in three ways
1. Grant an outstanding access request.
2. Grant a denied request.
3. Grant an anonymous request.
Note: If there are existing policies set for the user and target, these should be
taken into consideration when setting the policies and permissions for the
temporary access.
5. Click Cancel to return to the Manage Access to Target screen.
6. Use the Specify access allowed section to set the policies and time period for
the access.
Setting the permissions effective during the session
You can enable and set the policies and permissions that will be
effective during the temporary session by using an already defined
permissions set or by enabling individual policies. Choose the
appropriate method for setting the policies.
a. Permissions Set - Use an already defined set of permissions.
1) Select a defined set of permissions from the list
2) Click the arrow button next to Permissions, to show the policies
and permissions that are set.
An email is sent to the requesting user informing them that the request for
temporary access has been granted and the request is saved to the Live access
requests list.
To grant an already denied request for temporary access complete the following
steps :
1. Click Reports > All Access Requests.
2. Select the required request.
3. Choose the appropriate method for viewing the request :
v Select View/Edit request from the Actions list on the left.
v Select Reports > View / Edit request.
4. Go to step 6 on page 88, to complete the details for the request.
An email is sent to the requesting user informing them that the request for
temporary access has been granted and the request is saved to the Live access
requests list.
To accept an anonymous request for temporary access complete the following steps
:
1. Click Reports > Outstanding Access Requests.
2. Select the required request.
3. Choose the appropriate method for viewing the request :
v Select View/Edit request from the Actions list on the left.
v Select Reports > View / Edit request.
4. The Manage Access to Targets screen is displayed showing that there are no
targets selected.
5. Specify Access allowed - Use the justification from the user to determine the
targets that are being requested.
Choose the appropriate method to select targets.
Select Targets
a. Click Select Targets.
b. Select one or more targets from the Search targets list.
c. Click Submit. The target name is displayed next to Targets.
Select Target Groups
a. Click Select Target Groups.
An email is sent to the user informing them that their request has been granted
and provides a link to the IBM Endpoint Manager for Remote Control application
so that they can access the targets.
To revoke a request for temporary access to a target complete the following steps :
1. Click Reports > Live Access Requests.
2. Select the required request.
3. Choose the appropriate method for viewing the request :
v Select Reports > View/Edit request.
v select View/Edit request from the Actions list on the left.
The Manage Access to Target screen is displayed but as the status is granted
the policies and permissions that were set for the temporary access are not
displayed.
4. If you require to change any of the policies for the request click the Manage
Permissions link to view the policies that are set and complete steps 5 on page
65, to 9 on page 66 to make the required changes. If you do not require to
make any changes, click Revoke.
Note: If you click Cancel on the Manage Permissions screen any changes made
to the policies will not be saved.
An email is sent to the requesting user informing them that the request for
temporary access is no longer allowed and the request is removed from Live access
requests list.
To deny a request for temporary access to a target complete the following steps :
1. Click Reports > Outstanding Access Requests.
2. Select the required request.
3. Choose the appropriate method for viewing the request :
v Select View/Edit request from the Actions list on the left.
v Select Reports > View/Edit request.
4. In the Admin Notes field supply a reason for denying the request.
5. Click Deny.
The selected requests are removed from the IBM Endpoint Manager for Remote
Control database.
Note: Click Cancel on the Confirm Deletion screen to return to the previously
displayed screen and the requests are not removed.
The request is removed from the IBM Endpoint Manager for Remote Control
database.
To view the Outstanding Access Requests list click Reports > Outstanding Access
Requests.
To view the Live Access Requests list click Reports > Live Access Requests.
To view the All Access Requests list click Reports > All Access Requests.
Note: Please note that a report manager is used for controlling the output of the
reports. The function of this is to cache the output from the report and re display
this when the report is next run for a quicker display of the results, so that the
application does not need to go back and reload the data from the database. There
are three properties in the trc.properties file that you can use to set the interval
for reloading of the data from the database.
v report.timeout.frequency
v report.manager.frequency
v report.manager.period
For more details of these properties, see “trc.properties” on page 172.
It should also be noted that the Refresh link on the upper right of the screen can
be used to reload the output of a report to show any changes in the data.
95
Creating a report by Sorting and Filtering
You can create a custom report by sorting and filtering the columns of an already
defined report. To do this generate the report that is used as the basis for your new
report then perform the sort or filter option on this generated report.
Note: The created report is only displayed in the Custom Reports menu of
the Admin user or Super User who created the report. If a group or groups
is selected in the step above, the report is also displayed in the Custom
Reports menu of any Users who are members of the selected Groups.
f. Click Submit.
Note: The created report is displayed only in the Custom Reports menu of the
Admin User ( or Super User ) who created the report . If a group or groups is
selected in the step above, the report is also displayed in the Custom Reports
menu of any users who are members of the selected Groups.
12. Click Submit.
Note:
1. Click Reset on the Edit Custom Report and Group Access Rights screen to clear
or reset any changes made to the input screen.
2. Click Cancel on the Edit Custom Report and Group Access Rights screen to
return to the previously displayed screen and the custom report is not created.
Note: The Add Column option is only applicable if more than one table has
been selected for the report. If you select only one table, the list is blank and
the next step is not required.
8. From the list select the a column and click Add.
9. Repeat from step 8 till all required columns have been added.
10. Click Back to return to the Edit Report screen.
11. If you want to delete a column complete the following steps
a. Select Delete Column
b. On the Delete Report Columns screen select the required column and click
Delete.
c. Repeat the above step to delete more columns. In this example click Delete
till the first column in the list is GROUP_KEY.
d. Click Back to return to the Edit Report screen.
12. If you want to re arrange the Report columns complete the following actions
a. Select Arrange Columns on the Edit Report screen.
b. On the Order Columns screen select the required column from the pull
down and click < or > to move the columns to the left or the right. In this
example select USER_GROUP.NAME then click the left arrow button till
this column is first in the list.
c. Repeat the previous step to re arrange more columns.
d. Click Back to return to the Edit Report screen.
13. If you want to specify a condition in your query complete the following steps
:
v Click Modify conditions on the Edit Report screen.
v On the Modify Report Limits screen choose the appropriate method to
select a limit
– Click on Quick Limits to select an already defined limit (if any have been
defined ) from the pull down
- Click add to add this condition to your query.
Note: The created report is displayed only in the Custom Reports menu
of the Admin User ( or Super User) who created the report . If a group
or groups is selected in the step above, the report is also displayed in the
Custom Reports menu of any Users who are members of the selected
Groups.
– Click Submit.
Note:
1. Click Reset on the Edit Custom Report and Group Access Rights screen to clear
or reset any changes made to the input screen.
2. Click Cancel on the Edit Custom Report and Group Access Rights screen to
return to the previously displayed screen and the Custom Report is not created.
Generate the base report by selecting the required report from the relevant menu.
For example to use the All Targets report as the base report, complete the
following steps
1. Select Targets > All targets.
2. The All Targets Report is displayed.
3. Click Edit SQL, on the top right of the screen.
4. Follow from step 3 on page 98
Note: The created report is displayed only in the Custom Reports menu of the
Admin User (or Super User) who created the report. If a group or groups is
selected in the step above, the report is also displayed in the Custom Reports
menu of any users who are members of the selected groups.
5. Click Submit.
The Custom Report is generated and it's results are displayed on the screen.
The User Custom reports list is displayed listing all custom reports created by the
currently logged on Super User or Administrator.
To use the Edit Custom report and Access complete the following steps : -
1. Select Reports.
2. To generate a list of Custom reports Click All Reports, My Custom Reports
or All Custom Reports.
Note: The created report is displayed only in the custom reports menu of the
Admin User (or Super User) who created the Report. If a group or groups is
selected in the step above, the report is also displayed in the Custom Reports
menu of any Users who are members of the selected Groups.
12. There are two options available now
v To save the Report and finish, click Submit.
v To check the output of the report go to step 13.
13. Click Run Report.
14. If the generated report is what you require click Submit, otherwise complete
the following
v From the Reports menu select Save custom query.
v Repeat from step9 above till the report meets your requirements.
Note: A Super User will only be able to generate the All Reports list.
3. If All Reports has been selected, select User Custom Reports , then select Run
from the Reports menu or the Action list on the left.
4. If My Custom Reports or All Custom Reports has been selected, select the
required reports from the list.
5. Choose the appropriate method for actions : -
v Click Reports >Remove My Access.
v OR select Remove My Access from the Actions list on the left
The currently logged on Super User or Administrator can no longer run the
selected Custom reports from their Custom Reports menu.
Note: As an Administrator has access to all Custom reports, they can still run the
selected Custom reports by running them from the All Custom Reports, report.
Note: A Super User will only be able to generate the All Reports list.
3. If All Reports has been selected go to step4 for My Custom Reports or All
Custom Reports go to step 6.
4. Select User Custom Reports.
5. From the Reports menu or the Action list on the left, select Run.
6. Select the required reports from the list.
7. Choose the appropriate method for actions :-
v Click Reports > Delete Custom Report.
v OR select Delete Custom Report from the Actions list on the left.
The list of reports is refreshed and the selected custom reports is no longer in the
list.
From the steps above it is important to note that the default home page set by the
user overrules any home page that has been set for the groups that the user
belongs to. For example, user1 sets his default home page to his favorites list of
targets. User1 is a member of user group testusers. You create a custom query of
all targets manufactured by companyX and set this to be the default home page for
user group testusers. However when user1 logs on it is his favourites list that is
displayed as the home page.
105
– Run a standard report from any of the IBM Endpoint Manager for Remote
Control Server menus
– Run a custom report that you have access to from the Custom reports menu.
For details of how to create and save a custom report, see “Creating a Custom
Report” on page 95.
v Click Options > Set Current Report as Homepage
Your home page is set and the following message is displayed. Your home page has
been set to report XXXXXXX, where XXXXXXX is the name of the report that you
set. For example, Your home page has been set to report Favorites.
When you log on to the server, the Favourites report is the first screen that is
displayed.
Note: Only Administrators have authority to edit the access for a custom report.
v When you save a custom report.
To set a default home page for a group, complete the following steps.
1. Choose the appropriate method for setting the home page
a. By editing the access for a saved custom report.
1) Select Reports > My Custom Reports or Reports > All Custom Reports
2) Select the report.
3) Select Edit Custom Report & Access then goto step 2.
b. When you save a custom report.
1) Generate the custom report. For details of the various ways that a
custom report can be generated, see “Creating a Custom Report” on
page 95.
2) When you generate your report click Reports > Save As Custom
Report.
2. On the Edit Custom Report and Group Access Rights screen type in a name
and menu name for the report.
3. In the Group list select Make Default Homepage next to each group that can
have this new report as their default home page.
4. Click Submit.
The default home page is set for the selected groups. Whenever a user who is a
member of the selected groups logs on to the IBM Endpoint Manager for Remote
Control Server, the saved report is displayed as their home page.
However, if the user also has a default home page set, they see their default home
page instead.
When members of the selected group logon to the server, the new default home
page is displayed.
Chapter 12. Managing the home page for a user or group 107
2. Select the users.
3. From the Users menu or the Action list on the left, select Reset User
Homepage.
The next time that the user logs on, the home page that is set for any groups that
they belong to is displayed. If the groups do not have a home page set, the default
home page, as defined in trc.properties, is displayed.
The next time any of the members of the selected group logs on, the new default
home page is displayed.
Note: On screens that are not in a report format, for example search screens or
input screens, the Options menu is not visible in the menu bar.
A message is displayed showing that the table was successfully added. To add the
required database columns to the report, see “Adding a database column to a
query.”
A message is displayed showing that the column was successfully added and the
report is displayed with the new columns added. To add additional columns
repeat from step1
109
110 IBM Endpoint Manager for Remote Control Administrator’s Guide
Chapter 14. Admin Menu Functions
The Admin menu in the IBM Endpoint Manager for Remote Control Server
provides you with configuration and troubleshooting information. The following
options are available in the menu
v Edit properties file
v View Application Log
v Send Application Log
v Import Data
v View Current Server Status
v All Remote Control Gateways
v New Remote Control Gateway
v Reset Application
v New Permission Set
v All Permissions Sets
v Target Membership Rules
The following properties files are avialable in IBM Endpoint Manager for Remote
Control
v trc.properties
v log4j.properties
v ldap.properties
v common.properties
v appversion.properties
v controller.properties
v ondemand.properties
For details of the variables and relevant values that are required for these files, see
Chapter 21, “Editing the properties files,” on page 171.
111
Note: The utility only configures the connection, user and group search properties,
for details of enabling LDAP and additional LDAP configuration parameters see
the IBM Endpoint Manager for Remote Control Installation Guide.
You must complete section 1 before you can access and use the remaining sections.
To access and run the utility select Admin > LDAP Configuration Utility.
Note:
a. This is automatically selected when you click Encrypt Password.
When you have a successful connection to your LDAP server you can then
configure and test group and user search parameters.
Note: You can use the Browse icon to the right of the field to navigate
through your directory structure and select a specific starting location.
Group Search
Specify the LDAP filter expression to be used for performing the group
search. For example (objectClass=group). The defined expression
needs to filter the results such that only the required groups are
imported to the IBM Endpoint Manager for Remote Control database.
The default value is (objectClass=group) which means, look for users
in any object that is a group within the specified groupbase. That is,
import all Active Directory groups to IBM Endpoint Manager for
Remote Control.
Note: If there are more than 100 groups found from the search, the following
message is displayed. XX Groups found.(Only the first 100 are shown.) -
where XX is the total number of groups found.
The resulting groups are displayed in the text box on the right and this is the list
of groups that will be imported from LDAP when you have LDAP synchronisation
enabled. You can click the icon to the left of each group name to see a list of the
LDAP attributes and values defined for the group.
When you have achieved the required group search results you can use the User
search section of the utility to configure and test values for your User Search
LDAP properties, by following the steps in “Configuring LDAP user search
parameters” or save your current configuration by following the steps in “Saving
your LDAP configuration” on page 118.
Note: Depending on the type of LDAP server that you install, click Set Defaults to
load the LDAP utility with the default parameter values for your server type.
1. Enter the user search information. Click the question mark next to each field for
more information.
User Base
Specify the LDAP directory that you want to start the user search from.
If left blank, the search is started from the top-level element in the
directory. For example, OU=location,DC=domain,DC=com. You can refine
your search by going deeper into the OU structure and select to start
the search from within a specific organizational unit. For example, to
Note: Use the Browse icon to the right of the field to navigate through
your directory structure and select a specific starting location.
User Search
Specify the LDAP filter expression to be used for the user search. For
example (objectClass=user). The defined expression must filter the
results such that only the required users are imported to IBM Endpoint
Manager for Remote Control. The default value is
(userPrincipalName={0}@MyCompany.com). {0} is substituted with the
user ID that is used to log on to IBM Endpoint Manager for Remote
Control, and MyCompany.com is the host name of your LDAP server.
That is, look for users whose userPrincipleName matches any users that
are found within the specified UserBase.
Note: User Email must not have a null value. If your Active
Directory Tree does not contain email information, a different
attribute must be used. For example, it can be set to
userPrincipalName.
Employeeid
The name of the LDAP attribute in the user's directory entry
that contains the user's employee ID.
Title The name of the LDAP attribute in the user's directory entry
that contains the user's title.
Forename
The name of the LDAP attribute in the user's directory entry
that contains the user's given name.
Initials
The name of the LDAP attribute in the user's directory entry
that contains the user's initials.
Surname
The name of the LDAP attribute in the user's directory entry
that contains the user's surname.
Department
The name of the LDAP attribute in the user's directory entry
that contains the user's department.
Company
The name of the LDAP attribute in the user's directory entry
that contains the user's company.
Location
The name of the LDAP attribute in the user's directory entry
that contains the user's location.
Note: If more than 100 users are found from the search, the following message
is displayed. XX Users found.(Only the first 100 are shown.) - where XX is
the total number of users found.
The resulting users are shown in the text box and the list of users would be
imported from LDAP when you have LDAP synchronization enabled. You can
click the icon to the left of each user name to see a list of the LDAP attributes
and values that are defined for the user. Click the icon to the right of the user
name to display the IBM Endpoint Manager for Remote Control user field
values. The user field values are imported into the IBM Endpoint Manager for
Remote Control database.
When you achieve the required user search results, you can save your current
configuration by following the steps in “Saving your LDAP configuration” on page
118.
Note: If you click Cancel before clicking Save, the values will not be saved to the
LDAP properties file.
To view the application log click Admin > View Application Log
The application log is displayed, click CTRL + END to reach the end of the file.
To view all defined gateways click Admin > All Remote Control Gateways.
The gateway details are removed from the IBM Endpoint Manager for Remote
Control database.
To add a IBM Endpoint Manager for Remote Control gateway to the server,
complete the following steps :
1. Click Admin > New Remote Control Gateway.
2. Supply the required information for your gateway
Hostname
Enter the hostname for your gateway.
Description
Enter a description for your gateway. This is optional.
IP Address
Enter the IP address of the system being used as the gateway.
Port Enter the port that the gateway is listening for connections on.
3. Click Add another IP address to enter the IP address and port if the system
you are using as the gateway has multiple IP addresses.
4. Click Submit.
When you have created a gateway you should configure your network for gateway
support using the gateway configuration file. See “Configuring the gateway
support” on page 151.
Note: If at any time a system hang occurs you will need to stop and restart the
IBM Endpoint Manager for Remote Control server service.
Note: This process is applied to each of the customizable text options separately,
that is the title, paragraph 1 and paragraph 2. It is possible to display both custom
and standard text. For example if you select a locale to customize, type in
customized text for paragraph1 and paragraph2 and leave the window title field
blank. The acceptance window, for a target configured for this locale, displays the
standard window title and the customized paragraph1 and paragraph2 text.
Note: When you click Save after populating the fields with standard
text it becomes the customized text for the selected locale.
Load default customisations
Select this to populate the fields with the customized text that has been
saved for the default locale. You can edit this if required.
Note: This usually contains any additional help text that is required.
3. When you have created the required customized options click Save. Click
Close to exit from the Configure Target session acceptance dialog window.
Note:
a. If during the customization process you select a different locale you are
given the following options
Save Click this to save the options for the current locale.
Don't Save
Click this to clear the text fields and keep the newly selected locale
available.
Cancel
Click this to return to the Configure Target session acceptance
dialog window with the previous locale still selected.
b. If you leave the Title, Paragraph 1 or Paragraph 2 fields blank no
customized text is saved for that option.
After you have created and saved customized options, if a remote control session
with user acceptance enabled is requested, the user acceptance panel is displayed
on the target with thecustomized or standard text that has been configured and
saved for the target machines locale.
Note: If you set values locally for these properties and later the target takes part in
remote control sessions started from the server, the local values are overwritten
with values passed from the server.
CustomConfirmTitle
Use this property to define a customized window title for the user
acceptance window. When there is no translation available for the locale
that the target is configured for, the default string, that is saved in
CustomConfirmTitle, is displayed for the window title. If you want a
customized window title for specific locales you can create multiple
CustomConfirmTitle.X properties, where X is the locale. For example
CustomConfirmTitle.fr.
ConfirmExtraText
Use this property to define a customized paragraph 1 for the user
acceptance window. When there is no translation available for the locale
that the target is configured for, the default string, that is saved in
Note: For details of the properties see, “Configuring the user acceptance
window for a peer to peer session” on page 122.
b. Type in the required string and click OK.
v Create a locale specific property
a. Right-click the right pane and select New > String Value
b. Type in the name for the property with the locale and ENTER. For
example CustomConfirmTitle.fr.
c. Right-click the new property and select Modify
d. Type in the required string and click OK.
4. Restart the IBM Endpoint Manager for Remote Control target service.
If you want to add a custom icon to the acceptance window you can rename
your file to CustomConfirmIcon.bmp and save the file to the directory defined in
the WorkingDir target property.
The uploaded icon files are displayed in the Configure session dialog window.
The View Permissions Sets screen is displayed listing all defined permissions sets.
Note: The next time one of these targets contacts the server their
group membership is recalculated if rc.tmr.at.every.callhome =
Yes or rc.tmr.at.triggered.callhomes =Yes ( the target has come
online or has changed its computer name or IP address) and the
following conditions are satisfied.
v their computer name or IP address satisfies the new rule
v they are effected by the rule that was deleted
v they do not satisfy the updated rule
Note: It should be noted that group membership of targets that have been
manually assigned to target groups will not be modified by target rules.
For example :
If an administrator assigns target1 to target group T1 using
the Manage Group Membership function, it will remain a member of
T1 until it is manually removed from the target group or until
the group is deleted.
Creating rules
You can create rules which will assign targets to target groups if their computer
name or IP address matches conditions set in the rules. For example, you can
assign targets whose IP addresses fall into a specific range of addresses to one or
more target groups when they first register with the IBM Endpoint Manager for
Remote Control Server or every time they contact the server. For details of
properties affecting the group assignment, see “Defining when membership rules
are applied” on page 125.
Note:
a. If you have rules that are required to be checked you should make
them a higher priority to ensure that they are checked against the
target. Rules with a lower priority, those further down the list, may
not be reached if you have a rule with Stop processing enabled
near the top of the rules list.
4. Select the required groups that you want the target to be assigned to if it
matches the conditions for the rule.
5. Click Submit.
Viewing rules
After you have created rules for assigning targets to target groups you can view
the list of defined rules by completing the following steps :
1. Click Admin > Target Membership Rules
2. Select Show rules.
The list of defined rules is displayed. You can select these rules to edit the rules
definition or delete the rules.
Checking rules
You can enter a target's IP address or computer name and use the Simulate
against rules function to check whether the target matches with any of the defined
To check the target's details against already defined rules, complete the following
steps:
1. Click Admin > Target Membership Rules
2. Select Simulate against rules.
3. Type in the target details that you want to search on.
IP address
Type in the IP address that you want to check against the rules.
Computername
Type in the computer name that you want to check against the rules.
4. Click Test
The List of rules is displayed. Any rules that match the IP address or computer
name are highlighted and the word matched is displayed next to it. You can also
see from the matched entry which target groups the target would be assigned to. If
no match is found, a message is displayed.
Editing rules
After you have created rules for assigning targets to target groups, you can edit a
rule to change the conditions that will determine the target's group membership by
completing the following steps :
1. Click Admin > Target Membership Rules
2. Select Show rules.
3. Select the required rule.
4. Select Edit rule.
5. Change the required information and select Submit.
The changes to the rule is updated and is used the next time a target's information
is checked against the rule.
Deleting rules
After you have created rules for assigning targets to target groups you can delete
these rules if they are no longer required. However there are 3 types of deletion
that can be selected which result in the following actions taking place.
1) Leave target membership and target groups unchanged
You can select this option to just delete the rule and nothing else. Any
targets whose group membership was assigned using this rule will remain
members of the target groups that they were assigned to.
2) Reset target membership and preserve target groups
You can select this option to delete the rule and reset the target group
membership. Any targets whose group membership was assigned using
this rule will no longer be members of the target groups that were
associated with this rule.
3) Reset membership and delete target groups
You can select this option to delete the rule, reset the target group
membership and delete the target group. Any targets whose group
membership was assigned using this rule will no longer be members of the
You can delete one or more rules by completing the following steps :
1. Click Admin > Target Membership Rules
2. Select Show rules.
3. Select the required rules.
4. Select Delete rules..
5. On the Target Membership Rules screen select the type of deletion required.
6. Click Submit. If you have chosen deletion type 2 or 3 above, a warning
message is displayed WARNING! Resetting target membership or deleting
groups cannot be undone. Click Submit to continue with the deletion of the
rule.
The target membership rule is deleted from the IBM Endpoint Manager for Remote
Control database and the actions associated with the selected deletion option are
carried out.
Note: This utility can only be used to install the target software on one target at a
time, it is not intended for mass distribution of the software. In Linux only the root
user is allowed to perform this function.
To perform the remote installation, you will also require the following information:
v Target hostname or IP address.
v The admin user ID used for logging on to the target.
v The admin password used for logging on to the target.
Windows XP prerequisites
Windows XP systems must have Simple File Sharing disabled. Simple File Sharing
forces all logins to authenticate as guest but a guest login does not have the
authorizations necessary for the remote installation utility to function. To disable
Simple File Sharing, complete the following steps:
1. Using Windows Explorer click Tools > Folder Options.
2. Select the View tab.
3. Scroll through the list of settings until you find Use Simple File Sharing.
4. Remove the check mark next to Use Simple File Sharing, click Apply and OK.
Windows 7 prerequisites
You must perform the following on Windows 7 targets.
v Configure the remote registry.
v Configure the User Account Control feature.
131
To check if the Remote Registry service is enabled and started, complete the
following steps:
1. Click Start.
2. In the Start Search box, type services.msc. Press ENTER.
3. When Microsoft Management Console starts, in the console pane, ensure that
the service status is: started. If not, right-click Remote Registry, and click Start.
To avoid problems with the manual startup, set the Remote Registry service
startup type to automatic. If you want to automatically start the service after
the server boot complete the following steps:
a. Right-click Remote Registry and select Properties.
b. In the Startup type option, choose Automatic.
c. Click Apply and OK When the system starts up, Remote Registry
automatically starts.
4. Turn off password protected sharing.
a. Click Control Panel > Networking and Internet > Network and Sharing
Center.
b. Click Change Advanced Sharing settings
c. Click the down arrow that is next to Password protected sharing.
d. Click Turn off password protected sharing.
e. Click Apply and exit the control panel.
Additionally, on Windows Server 2008 you might need to disable User Account
Control if your account is not a domain user account. For more information about
disabling User Account Control, see “Configuring user account control” on page
134. You can select the File and Printer Sharing box and the remote registry box in
the Exceptions tab of the Windows Firewall configuration to allow access if the
firewall is enabled.
If you have a domain user account, ensure that the controller and the target
machine are both members of a Windows domain. If you are a member of a local
administrators group and you use a local user account, complete the three steps
below to be able to perform administrative tasks on the target machine:
1. Enable the built-in Administrator account and use it to connect.
a. Open the Windows Control Panel.
b. Click Administrative Tools > Local Security Policy > Security Settings >
Local Policies > Security Options.
c. Double-click on Accounts: Administrator account status and select enable.
2. Disable User Account Control if a different Administrator user account is to be
used to connect to the Vista target. To disable User Account Control complete
the following steps :-
a. Open the Windows Control Panel.
b. Click Administrative Tools > Local Security Policy > Security Settings >
Local Policies > Security Options.
c. Double-click User Account Control: Run all administrators in Admin
Approval Mode and select disable. Changing this setting requires a system
reboot.
3. Disable User Account Control when you administer a workstation with a local
user account (Security Account Manager user account). Otherwise, you will not
connect as a full administrator and will not be able to perform administrative
tasks. To disable User Account Control complete the following steps:-
a. Click Start, click Run, type regedit, and press ENTER.
b. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Policies\System
c. If the LocalAccountTokenFilterPolicy registry entry does not exist, follow
these steps:
1) On the Edit menu, point to New, and then click DWORD Value.
2) Type LocalAccountTokenFilterPolicy, and press ENTER.
d. Right-click LocalAccountTokenFilterPolicy, and click Modify.
e. In the Value data box, type 1. Click OK.
f. Restart your computer.
Alternatively, you can modify the registry entry manually by typing the
following command :
cmd /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system
/v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
Connections cannot be established with any UNIX targets that have all remote
access protocols, rsh, rexec, or SSH disabled.
To communicate with Linux and other SSH targets using password authentication,
you must edit the file /etc/ssh/sshd_config file on target machines and set:
PasswordAuthentication yes
After changing this setting, stop and restart the SSH daemon using the following
commands:
/etc/init.d/sshd stop
/etc/init.d/sshd start
For example:
To use the remote installation feature to install Windows targets over IPv6, the
server must be able to resolve the IPv6 address of the host. If that does not
happen, the connection fails.
Note:
1. The host name cannot contain any colon characters because these characters are
not supported by the Server Message Block (SMB) protocol. If there is a need to
use the IPv6 address directly, you might try converting the IPv6 address to the
ipv6-literal namespace format. For example, the IPv6 address:
2001:4898:2b:4:bdb1:1c0:a5d8:438e might work when converted to:
2001-4898-2b-4-bdb1-1c0-a5d8-438e.ipv6-literal.net.
If you encounter problems with IPv6 connection, complete the following steps:
1. Verify whether a port is blocked using the following command: telnet <IPv6
address> 445. If the connection to the host cannot be opened, it means that the
port is blocked. When this happens, complete the following steps:
a. Start the Registry Editor (regedt32.exe).
b. Locate the following key in the Windows registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Smb\Parameters
c. Add the following entries to the registry key:
DWORD key IPv6Protection
Add with hex value 00000014 (0x00000014).
DWORD key IPv6EnableOutboundGlobal
Add with hex value 1 (0x1).
d. Reboot your computer for the changes to take effect.
2. Verify if the shared disks can be accessed by issuing the command net use *
\\<IPv6 host_domain_name>\c$
If the command returns an error and you cannot connect to the shared drive c$,
it means that the disk cannot be accessed.
When this happens, follow the steps below to use the IPv6 protocol
a. Start the Registry Editor (regedt32.exe).
b. Locate the following key in the Windows registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
LanmanServer\Parameters
c. Add the following entries to the registry key
DWORD key DisableStrictNameChecking
Add with value 1 (decimal) to enable file sharing.
d. Reboot your computer for the changes to take effect.
Note: Click Reset to clear all fields or set them back to their previous values.
4. The Remote Install summary screen is displayed with your chosen values. You
can select one of the following options:
v Click Back to go back and change any values.
Note: If you are using a proxy, you must re enter the target user password
and the proxy password.
v Click Install to install the target software.
As the installation progresses, Complete is displayed at each stage. If there is a
problem during any part of the installation, a message is displayed. Click OK
to return to the Remote Install screen to change values.
5. When the installation finishes, click OK.
The target software is installed on the target. You can verify the installation by
running the All targets report to see whether the target is listed.
Note: You can click Refresh if the target details are not displayed in the list.
To view the Remote Install History click Tools > Remote Install History
The Remote Installations report is displayed . This report contains all of the
remote installations attempted, those that were successful and those which failed.
141
> 1 match found
If more than one match is found the first match is used.
This scenario is very unlikely to be found.
False The old target details are not sent to the server and the new
changed details are used to try to find a match. However if only
one of the 4 criteria has changed and the
match.allow.data.changes property is set to true then a best match
is looked for.
match.allow.data.changes
This property is used to try to find a best match for a target in the
database.
True This is the default value. When set to true, a best match is
successful if all but 1 of the 4 criteria match an already registered
target.
0 matches
If no match is found a new hardware key is generated and
a new target entry is created in the database.
1 match
If a match is found the details of the matched database
entry are updated.
> 1 match found
If more than one match is found create a new hardware
key
False If the perfect match process is enabled and no match is found for
all 4 of the target criteria, the best match option is not considered
and depending on the value of match.change.notifications, if no
match is found then a new target entry is created in the database.
Matching on GUID
Configure this matching option to use the target's Globally Unique Identifier
(GUID) to try to find a match in the database. The GUID is created by the target
software.
Note: When using this method you must not clone any machines in your
environment after the target software has been installed without first deleting the
file called TGT_INFO.PROPERTIES which can be found in the target's data folder.
Failure to delete the file before cloning will result in many assets matching with
one database entry.
match.guid.only
True When a target contacts the server its GUID is used to try to find a
match in the database. If a match is found the details of the
matched database entry are updated. If no match is found a new
hardware key is generated and a new target entry is created in the
database.
0 matches
If no match is found a new hardware key is generated and
a new target entry is created in the database.
1 match
If a match is found the details of the matched database
entry are updated.
> 1 match found
If more than one match is found the other 3 criteria used in
the perfect match option are then checked against the
database to see if a perfect match or best match can be
found. If none can be found, the entry for the first match
that was found is updated.
False When a target contacts the server its GUID is not used to try to
find a match in the database.
For more details of these policies, see Chapter 7, “Server session policies,” on page
47.
Note: When the target cannot contact the server to upload the recording it keeps it
in a queue. It later tries to contact the server and if successful it sends a list of the
session ID's corresponding to the recordings to the server. The server checks each
ID against the session history and if it does not find a session history for a
particular ID it will report this to the target. If Keep recording in target is set to
NO the target will delete the recording. If the property is set to Yes the target
removes the recording from the queue but still keeps the recording on it's own
disk. The following scenarios could cause the server not to find the IDs.
v The IBM Endpoint Manager for Remote Control Server was restored from a
previous backup or the server was reinstalled with a clean database and no
record of the Session ID exists in the database.
v The target was configured to connect to a different server . For example it was
pointing to Server1 and now it is redirected to Server2 but this server has no
matching Session ID for the recording.
145
146 IBM Endpoint Manager for Remote Control Administrator’s Guide
Chapter 18. Set up for exporting recordings
A remote control session can be recorded and saved to the IBM Endpoint Manager
for Remote Control Server. This recording can then be exported and saved to a
local system at a later date. For example, to be used for education or training
purposes. To enable the exporting function you must complete the follow the setup
steps relevant to the operating system you have installed the IBM Endpoint
Manager for Remote Control Server on.
Note: It is important to note that the jmf.jar file should be copied again into the
WEB-INF\lib, directory whenever the IBM Endpoint Manager for Remote Control
Server is updated, otherwise the exporting function is disabled.
147
5. Copy the file jmf.jar from the JMF installation directory to the WEB-INF/lib
directory within the IBM Endpoint Manager for Remote Control Server
installation directory
6. Start the IBM Endpoint Manager for Remote Control Server service by using
the following command
/etc/init.d/trcserver start
Note: It is important to note that the jmf.jar file should be copied again into the
WEB-INF/lib directory, whenever the IBM Endpoint Manager for Remote Control
Server is updated otherwise the exporting function is disabled.
When the feature is enabled, the task is run and the file is created on the server
with a name in the following format,
XXXtimestamp.log
where XXX is the value that has been set for task.logdistribution.file.
When the log is created each entry identifies the session, target and user, and a
message of what action was carried out.
for example : sessionkey=8, target=TIVTEST1, user=Admin
January 26, 2013 9:15:28 AM GMT
Session Connection Attempt by Default Administrator
@192.0.2.0[00:11:25:f7:b2:1e]
Note: Each time the task runs it includes the log data created since the last task
execution.
149
150 IBM Endpoint Manager for Remote Control Administrator’s Guide
Chapter 20. Accessing targets on different networks
If you have targets, controllers and severs on different networks that cannot
directly contact each other you can install and configure gateway support. After
installing, you can configure your network to enable connections to be established.
For details of installing the gateway support see the IBM Endpoint Manager for
Remote Control Installation Guide.
The IBM Endpoint Manager for Remote Control gateway supports different types
of connections
Inbound connections
configure these connections for the gateway to accept connections from
endpoints, controllers, and other gateways.
Gateway connections
configure a gateway to establish a permanent connection with another
gateway.
Endpoint connections
configure the gateway to locate endpoints from which a request has been
received.
Tunnel Connections
used to facilitate TCP connections to the IBM Endpoint Manager for
Remote Control server from the target
The gateway administrator defines the connections that are required for each
gateway, in the configuration file.
Define the connections that are required in the gateway configuration file. The
gateway configuration file has a similar format to a Java properties file.
v The gateway supports multiple instances of each connection type
v The configuration directives for each connection have a user defined prefix.
You can define four types of connections depending on the setup of your
environment.
v Inbound connections
151
v Gateway connections
v Endpoint connections
v Tunnel connections
The following optional parameters can be used to further configure your gateway.
FIPSCompliance
Set the value of this parameter to Yes to use a FIPS certified cryptographic
provider for all cryptographic functions. Default value is No.
SP800131ACompliance
Set the value of this parameter to Yes to enforce NIST SP800-131A
compliant algorithms and key strengths for all cryptographic functions.
Default value is No.
Note:
1. Do not prefix with # or !. These characters are reserved for comments in
properties files.
2. If you want to include spaces in the prefix, you must escape them with \
for example : my connection.ConnectionType
should be defined as my\connection.ConnectionType
See the Notes in “Configuring inbound connections” on page 152 for rules for
defining prefixes.
Note: It should be noted that intermediate gateways that merely connect two
separate gateways should not have any endpoint connections configured as this
would increase network traffic unnecessarily.
Note: The default is 0.0.0.0/0.0.0.0 which specifies that the gateway will
attempt to connect to any endpoint.
SubnetMask
Defines the subnet mask of a subnet that can be connected to, either
directly or indirectly. If you do not specify this the gateway will try to
connect to any target, therefore by specifying specific values you can
define what addresses to look at so that it is optimized. This parameter is
optional. Default is 0.0.0.0
BindTo
Defines the IP address of the network interface through which the
connections is made. If required, the gateway can be configured to connect
to the endpoints from a specific port and interface only. This may be
required if the endpoints have a desktop firewall that only allows the
gateways to connect to them. For example:
endpoint.1.BindTo=192.168.74.1 This parameter is optional. Default is
0.0.0.0
prefix.ConnectionType=Inbound
prefix.PotToListen=8881
prefix2.ConnectionType=InboundTunnel
prefix2.PortToListen=8882
Previously to create an inbound connection for IPv6, the connection would have
had to be bound to the IPv6 ANY address which is 0:0:0:0:0:0:0:0 or in compressed
notation ::. as follows:
prefix.ConnectionType = Inbound
prefix.PotToListen=8881
prefix.BindTo= \::
prefix.ConnectionType = Inbound6
prefix.PortToListen = 8881
prefix2.ConnectionType = InboundTunnel6
prefix2.PortToListen = 8882
Note: If you want the gateway to listen for both IPv4 and IPv6 incoming
connections you should define an inbound and an inbound6 connection type entry
in the gateway configuration file.
prefix.ConnectionType = Endpoint
prefix.SubnetAddress = 198.51.100.0
prefix.SubnetMask = 255.255.255.0
prefix.ConnectionType = Endpoint
prefix.Subnet = 198.51.100.0/24
prefix2.ConnectionType = Endpoint
prefix2.Subnet = 2001:db8:d005:ee::/64
Note: The gateway does not support IPv6 subnets with the SubnetAddress /
SubnetMask notation.
prefix.ConnectionType = Endpoint
Previously to configure an endpoint connection for IPv6 the default Subnet would
have had to be overwritten.
prefix.ConnectionType = Endpoint
prefix.Subnet = \::/0
To configure an endpoint connection that tries to locate all endpoints with IPv6
addresses, you can now use Endpoint6 instead.
prefix.ConnectionType = Endpoint6
Networks
Table 4. Networks
Network name Subnet address Netmask
Secure network 10.1.0.0 255.255.255.0
DMZ 10.2.0.0 255.255.255.0
Unsecure network 10.3.0.0 255.255.255.0
Machines
Table 5. Machines
Hostname IP address Roles
SERVER 10.1.0.2 remote control server on port
80
GATEWAYA 10.1.0.254 remote control gateway on
port 8881
GATEWAYB 10.2.0.254 remote control gateway on
port 8881
GATEWAYC 10.3.0.254 remote control gateway on
port 8881
TARGET 10.1.0.3 remote control target on port
888
Firewall
Table 6. Firewall
Source DestinationPort Port Description
10.1.0.254/ 10.2.0.254/ 8881 Allow GATEWAYA to
255.255.255.255 255.255.255.255 connect to
GATEWAYB
10.2.0.254/ 10.3.0.254/ 8881 Allow GATEWAYB to
255.255.255.255 255.255.255.255 connect to
GATEWAYC
Gateway setup
v Gateway support is installed on machine GATEWAYA in the secure network. A
IBM Endpoint Manager for Remote Control gateway named GATEWAYA is also
installed because there are controllers present on the secure network that need to
connect to the targets on the unsecure network.
To install the gateway support see the IBM Endpoint Manager for Remote
Control Installation Guide.
Gateway configuration
Inbound.1.ConnectionType= Inbound
Inbound.1.PortToListen = 8881
Gateway.A.ConnectionType=Gateway
Gateway.A.DestinationPort = 8881
Gateway.A.RetryDelay = 15
Gateway.A.KeepAlive = 900
OutboundTunnel.1.ConnectionType=OutboundTunnel
OutboundTunnel.1.DestinationPort = 80
Inbound.1.ConnectionType= Inbound
Gateway.B.ConnectionType=Gateway
Gateway.B.DestinationPort = 80
Gateway.B.RetryDelay = 15
Gateway.B.KeepAlive = 900
Inbound.1.ConnectionType= Inbound
Inbound.1.PortToListen = 8881
InboundTunnel.1.ConnectionType=InboundTunnel
Endpoint.1.ConnectionType=Endpoint
Endpoint.1.SubnetMask= 255.255.255.0
When a target requires an HTTP or HTTPS connection with the IBM Endpoint
Manager for Remote Control Server, it first connects to port 8880 on GATEWAYC.
GATEWAYC accepts this connection and immediately creates a tunnel to
GATEWAYA, via GATEWAYB. GATEWAYA then connects to the IBM Endpoint
Manager for Remote Control Server and acknowledges the connection to
GATEWAYC via GATEWAYB. When the tunnel is established, gateways C and A
start reading any data from their respective connections and forwarding it to each
other via the tunnel as well as writing any traffic received from the tunnel to this
connection. The result is that the target and the server can communicate while
being unaware that the traffic is being tunneled. When either party shuts down
their end of the connection, the tunnel is torn down and the other connection is
also shut down.
Note: Each request requires 32 bytes of memory. The gateway can handle more
than 200 requests per second with the default settings.
LogRotation = Weekly
LogRollover = Daily
LogRollover
controls the period after which a new log file is started. This period has to
be smaller than the LogRotation period, therefore not all combinations are
valid. LogRollover cannot be disabled.
Table 8. LogRollover settings
LogRollover Description Comments
Hourly Start a new log file on the Recommended for busy
hour. gateways or when using log
levels higher than 2.
Daily Start a new log file every Default setting.
day.
# 5725-C43
# Copyright International Business Machines Corp. 2008, 2013. All Rights Reserved
# Configuration file for IBM Endpoint Manager for Remote Control Gateway
# configuration file.
# Logging levels
# 0 no logging
#1 error
# 2 informational (default)
# LogLevel = 2
LogRotation = Weekly
LogRollover = Daily
# Defaults
# LogRotation Weekly
# LogRollover Daily
FIPSCompliance = No
# Request Pool
# RequestPool.Size = 2048
# RequestPool.MinimumTTL = 5
# Defaults
# RequestPool.Size 2048
# RequestPool.MinimumTTL 5
# Inbound Connections
# Inbound.1.ConnectionType = Inbound
# Defaults
# Inbound.BindTo 0.0.0.0
# Inbound.RetryDelay 45
# Inbound.AllowGateways yes
# Inbound.AllowEndpoints yes
# Examples
# Inbound.2.ConnectionType = Inbound
# Inbound.2.PortToListen = 8881
# Inbound.2.BindTo = 192.168.74.254
# Inbound.2.Passphrase = qagumczw0krbmyajcjOkehnrryuTv1zxyevdckcwsrk}bjfi
# Inbound.2.AllowGateways = true
# Inbound.2.AllowEndpoints = false
# Inbound.3.ConnectionType = Inbound
# Inbound.3.PortToListen = 8881
# Inbound.4.ConnectionType = Inbound
# Inbound.4.PortToListen = 8881
# Inbound.4.BindTo = 192.168.76.254
# Inbound.4.RetryDelay = 30
# Gateway Connections
# Gateway.1.ConnectionType = Gateway
# Gateway.1.DestinationAddress = 192.168.77.254
# Gateway.1.DestinationPort = 8881
# requests (optional)
# out (optional)
# requires authentication
# Defaults
# Gateway.BindTo 0.0.0.0
# Gateway.RetryDelay 45
# Gateway.KeepAlive 900
# Gateway.Timeout 90
# Examples
# Gateway.2.ConnectionType = Gateway
# Gateway.2.DestinationAddress = 192.168.78.254
# Gateway.2.DestinationPort = 8881
# Gateway.2.BindTo = 192.168.74.254
# Gateway.2.SourcePort = 8882
# Gateway.2.RetryDelay = 90
# Gateway.2.KeepAlive = 180
# Gateway.2.Timeout = 30
# Endpoint connections
# is received
# Endpoint.1.ConnectionType = Endpoint
# out (optional)
# Endpoint.SubnetAddress 0.0.0.0
# Endpoint.SubnetMask 0.0.0.0
# Endpoint.BindTo 0.0.0.0
# Endpoint.SourcePort 0
# Endpoint.Timeout 45
# Examples
# Endpoint.2.ConnectionType = Endpoint
# Endpoint.2.SubnetAddress = 192.168.79.0
# Endpoint.2.SubnetMask = 255.255.255.0
# Endpoint.3.ConnectionType = Endpoint
# Endpoint.3.SubnetAddress = 192.168.80.0
# Endpoint.3.SubnetMask = 255.255.255.0
# Endpoint.4.ConnectionType = Endpoint
# Endpoint.4.BindTo = 192.168.74.254
# Endpoint.4.SourcePort = 8882
# Tunnel connections
# Tunnel connections are used to provide connections to the TRC server for the
endpoints
# when they cannot reach the server directly or via an http proxy.
# Setting up a tunnel requires two types of connections. On the gateways that can
reach
# inbound tunnel port, the gateway will locate one of the corresponding outbound
tunnels
# through the gateway control network. The outbound tunnel then connects to the
server to
# OutboundTunnel.1.ConnectionType = OutboundTunnel
# out (optional).
# Defaults
# DestinationPort 80
# TunnelID TRCSERVER
# BindTo 0.0.0.0
# Timeout 90
# Examples
# OutboundTunnel.2.ConnectionType = OutboundTunnel
# OutboundTunnel.2.DestinationAddress = 192.168.81.52
# OutboundTunnel.3.ConnectionType = OutboundTunnel
# OutboundTunnel.3.DestinationAddress = 192.168.81.52
# OutboundTunnel.3.DestinationPort = 443
# InboundTunnel.1.ConnectionType = InboundTunnel
# Defaults
# TunnelID TRCSERVER
# BindTo 0.0.0.0
# RetryDelay 45
To edit the properties files in the IBM Endpoint Manager for Remote Control
Server UI, complete the following steps.
1. Click Admin > Edit properties file. The Edit Properties File panel is displayed.
2. Select the relevant file from the list.
3. Make the changes and click Submit.
4. For the new property values to take effect click Admin > Reset Application.
As there is a short delay while the file is rewritten, you must not make any
immediate changes until the application is reset.
Note: To manually edit the properties files, locate them on the server and edit
them. If you edit the files manually, you must reset the server application by
selecting Admin > Reset Application for the new values to be displayed when
you edit the file in the UI.
171
where installdir is the directory that the IBM Endpoint Manager for Remote
Control Server is installed.
For example:
/opt/IBM/Tivoli/TRC/server/wlp/usr/servers/trcserver/apps/TRCAPP.ear
/trc.war/WEB-INF/classes
Category Description: There are several different categories within the file. Each
category focuses on a particular function carried out by the IBM Endpoint
Manager for Remote Control program. These categories are the same as those
configured in the installation.
trc.properties
Definitions of the properties in the trc.properties file that is packaged with the
IBM Endpoint Manager for Remote Control Server.
rc.create.assets.from.callhome=
rc.create.assets.from.brokers=
rc.recording.directory=
unknown.recording.action=
rc.dialog.session.accept.directory=
smtp.server=
smtp.authentication=
smtp.userid=
smtp.password=
error.admin.contact=
file.email.name =
file.email.mime.type =
file.email.type =
secure.url=
enforce.secure.web.access=
enforce.secure.endpoint.callhome=
enforce.secure.endpoint.upload=
enforce.secure.weblogon=
enforce.secure.alllogon=
account.lockout=
account.lockout.timeout=
account.lockout.allowlogonfrom=
account.lockout.reset.on.emailpassword=
email.admin=
browse.targets.auth=
view.all.targets.auth=
search.session.history.auth=
scheduled.interval.period=
scheduled.task.period=
DBCleaner is a looping utility that is used to clean up older log files that are based
on age of entries (in days). Frequency is in days. To disable cleaning, set the value
to -1.
dbcleaner.launch.on.startup=
dbcleaner.frequency=
dbcleaner.interval.period=
server.log.max.age=
transfers.history.max.age=
user.access.max.age=
password.reuse=
expire.new.password=
password.timeout=
password.timeout.period=
password.period=
password.check=
password.must.have.non.numeric=
password.must.have.numeric=
password.must.have.non.alphanumeric=
password.min.length=
password.max.length=
password.max.matching.sequential.chars=
password.max.previous.chars=
password.iterationcount =
tsv.export.use.byte.order.mark=
edit.properties.show.file.comments =
edit.properties.show.translated.comments=
date.time.format=
date.only.format =
time.only.format =
invalid.macs =
invalid.assettags =
invalid.net.addresses =
report.timeout.frequency =
report.manager.frequency =
report.manager.period =
allow.target.group.override =
default.group.name =
default.rc_def_grace_time =
default.rc_def_timeout_op =
default.rc_def_insession_ft =
default.rc_def_ft_actions =
default.rc_def_allowed_times
new.password.template
access.request.request.template
access.request.request.anon.template
access.request.reject.template
access.request.reject.anon.template
access.request.grant.template
access.request.grant.anon.template
trc.feature.denied.program.execution.list =
trc.ticket.allow.access =
trc.ticket.allow.allaccess =
trc.ticket.groupprefix =
P_R_Gwhere
v P = trc.ticket.groupprefix property
v R = the request key value for the access request
v G = the group type U for user group, T for target
group.
for example : t$t_5_U
trc.ticket.priority =
trc.default.request.priority =
trc.ticket.temp.usergrpupdesc
trc.ticket.temp.targetgrpupdesc
task.logdistribution.path =
task.logdistribution.file
registry.key.X =
nat.ip.support =
nat.exclude.list =
match.allow.data.changes =
match.computername.only =
match.guid.only =
match.change.notification =
rc.tmr.at.registration =
rc.tmr.at.every.callhome =
rc.tmr.at.triggered.callhomes =
rc.tmr.at.rules.change =
hb.timeout.lookup.mode
hb.timeout.att.defn
default.homepage.method=
workaround.rdp.console.w2k3 =
target.search.minimum.nonwildcards =
target.search.maximum.wildcards =
heartbeat.delay=
heartbeat.on.wake =
heartbeat.on.userchange =
heartbeat.on.change =
heartbeat.on.stop =
broker.code.length =
broker.code.timeout =
broker.trusted.certs.required =
rc.recording.filename.format =
common.properties
index.title=
fips.compliance=
sp800131a.compliance=
authentication.LDAP=
authentication.LDAP.config=
sync.LDAP=
users.forename.required=
users.surname.required=
users.country.required=
users.userid.required=
users.address_1.required=
users.address_2.required=
users.email.required=
users.town.required=
users.postcode.required=
users.nickname.required=
users.tel_no.required=
users.mob_no.required=
users.employeeid.required=
users.department.required=
users.password.required=
users.display.left.x=
users.display.right.x=
limit.recently.accessed=
ldap.properties
This section describes the architecture of the ldap.properties file.
ldap.connectionPassword =
ldap.connectionURL =
ldap.security_authentication=
ldap.groupName=
ldap.groupNameTrim=
ldap.groupDescription=
ldap.groupMembers=
ldap.groupBase=
ldap.groupBase=OU=Groups,OU=MyLocation,
DC=MyCompany,DC=com
Value Definition
ldap.groupSearch=
ldap.groupSubtree=
ldap.userPassword =
ldap.userEmail=
ldap.userid=
If the following parameters are defined they is mapped into the local database
ldap.forename=
ldap.surname=
ldap.title=
ldap.initials=
ldap.company=
ldap.department=
ldap.telephone=
ldap.mobile=
ldap.state=
ldap.country=
ldap.userBase=
ldap.userSearch=
ldap.userSubtree =
ldap.userInGroup =
log4j.properties
This section describes the architecture of the Log4j.properties file. This file is
used in the setup and configuration of logging output and messages from the
application.
log4j.logger.com.ibm =
log4j.appender.A1 =
log4j.appender.A1.layout =
log4j.appender.A1.encoding =
log4j.appender.A1.layout.ConversionPattern =
log4j.appender.Rolling =
log4j.appender.Rolling.File =
log4j.appender.Rolling.encoding =
log4j.appender.Rolling.MaxFileSize =
log4j.appender.Rolling.MaxBackupIndex =
log4j.appender.Rolling.layout =
log4j.appender.Rolling.layout.ConversionPattern =
controller.properties
Edit the controller.properties file to create and configure properties for the IBM
Endpoint Manager for Remote Control controller component to use during a
remote control session with a target.
This section describes the architecture of the controller.properties file. This file
is used in the configuration of the controller component that is used during remote
control sessions that are initiated from the server. For details of configuring
controller properties for peer to peer remote control sessions see the IBM Endpoint
Manager for Remote Control Controller User's Guide
Note: If too many items are added to the Perform Action in Target menu the last
items in the menu might extend beyond the bottom of the screen, particularly on
smaller screen size, since there is no support for scrolling menus.
There are seven pre configured tools by default that you can change to your own
requirements. There are also three blank tools available by default. To add more
tools, manually edit the controller.propreties file.
Note: After manually editing the file, restart the server service for the new tools to
be displayed on the screen.
The tools properties should be configured using the following definition formats.
prefix.ToolName =
tool01.ToolName=Command Prompt
prefix.ToolName.$lang$=
prefix.ToolCommand=
prefix.ToolParameters =
prefix.ToolUser =
Note: Although the tools are pre configured, each specific tool will only be
displayed in the Perform action in target menu if the target has the command
required for running the tool already installed. Therefore some sessions might have
all tools displayed and other sessions might only have a few pre configured tools
displayed. Only windows tools will be displayed when you are connected to a
Windows target and Linux tools on a Linux target.
tool06.ToolName=Terminal
tool06.ToolCommand=/usr/bin/gnome-terminal
tool06.ToolParameters =
tool06.ToolUser =
tool07.ToolName=Control Panel
tool07.ToolCommand=/usr/bin/gnome-control-center
tool07.ToolParameters =
tool07.ToolUser =
key01.KeySequenceName = Inject F1
keyX.KeySequenceName.language=
key01.KeySequenceName.es = Inyectar F1
Value Definition
keyX.KeySequenceValue=
key01.KeySequenceValue = [F1]
Value Definition
A random factor is also applied to the delay to distribute the heartbeat volume
more evenly over time. The target chooses a random delay starting from a quarter
of the maximum delay time. With the default setting, the random delay ranges
from 5 minutes to 20 minutes.
Note: By default, the very first contact the target makes with the server, after the
installation is not delayed so that the target can be registered in the server
immediately.
If you are carrying out a mass deployment of targets this might cause the server to
be overloaded with registrations. To alleviate this you can use the
RegistrationDelay target property to randomly delay the registration and
distribute it evenly through the deployment to avoid too many machines trying to
register at the one time.
Table 10. HeartBeatDelay and RegistrationDelay properties
Name Value Default Value
HeartBeatDelay Maximum delay in minutes 20
RegistrationDelay Maximum delay in minutes 0
You can use the following properties to prevent a heartbeat from being triggered
for certain events.
227
Table 11. Heartbeat properties to control heartbeats for certain events
Name Value Default value Description
HeartBeatOnWake Yes/No Yes Trigger a heartbeat when the
system wakes from standby
or hibernation
HeartBeatOnUserChange Yes/No Yes Trigger a heartbeat when a
user logs on or off
HeartBeatOnChange Yes/No Yes Trigger a heartbeat when
any of the values included
in a heartbeat have changed
HeartBeatOnStop Yes/No No Trigger a heartbeat when the
target is stopped or the
system is shutting down
In the configuration file you can define default broker setup parameters and also
any connections required for your environment.
v The broker supports multiple instances of each connection type
v The configuration directives for each connection have a user defined prefix.
On a windows machine this file is located in the \Broker directory within the
brokers’s working directory.
Note: Any errors in the configuration file do not stop the broker from starting.
Examine the broker log to verify that the broker is running as expected. For more
details about configuring logging parameters, see “Logging broker activity” on
page 232.
At the start of a broker remote control session, the broker connects to the server to
authenticate the session. Use the following parameters to define the server.
ServerURL
Determines the URL of the server that the broker authenticates the session
with. This parameter must be set to the base URL, for example
https://trcserver.example.com/trc. A trailing ’/’ character is allowed.
This parameter is a required parameter.
229
not HTTP if the connection from the broker to the server passes through an
unsecure or untrusted network. Also, use HTTPS if the following
properties are enabled in the trc.properties file,
enforce.secure.endpoint.callhome, or enforce.secure.endpoint.upload.
Otherwise, the target cannot send audit information or status updates to
the server. For more information about the enforce.secure properties, see
“trc.properties” on page 172.
ProxyURL
Add the URL of a proxy server or gateway if you are using one. This
parameter is optional.
You can configure multiple inbound connections and define a prefix for each
connection parameter to allow the broker to find all required settings for each
connection. Configure any inbound connections when configuring the
trc_broker.properties file. For more details about editing this file, see
“Configuring the broker properties” on page 229.
Note:
1. Do not prefix with # or ! as these are reserved for comments in properties files.
2. If you want to include spaces in the prefix you have to escape them with \ for
example : my connection.ConnectionType should be defined as
my\connection.ConnectionType
Note: The hostnames listed here must match the certificate and the
hostnames used when registering the brokers in the remote control
server.
2. Save the file.
If you are configuring multiple brokers in your environment which will connect to
each other to complete the connection between the controller and target, you
should configure broker connections in the broker properties file. For more details,
see “Support for multiple brokers.” When you have finished creating a broker
configuration you can register the brokers in the IBM Endpoint Manager for
Remote Control Server database to be used for facilitating remote control
connections across the internet. For more details, see “Registering a broker on the
server” on page 243.
When you have multiple brokers defined in your environment you should
configure broker control connections and define a prefix for each connection
parameter to allow the broker to find all required settings for each connection.
Broker connections need to be configured between the brokers that will connect to
each other. The brokers use the network of control connections to determine which
broker has the connection from the target. When the target is located, the controller
is reconnected to the same broker as the target. Configure any broker connections
when configuring the trc_broker.properties file.
Note:
1. Do not prefix with # or ! as these are reserved for comments in properties files.
2. If you want to include spaces in the prefix you have to escape them with \ for
example : my connection.ConnectionType should be defined as
my\connection.ConnectionType
Note: The hostname used here should be the same as the hostname
used when registering the broker on the IBM Endpoint Manager for
Remote Control server.
2. Save the file.
When you have created a broker configuration you can register the brokers in the
IBM Endpoint Manager for Remote Control database to be used for facilitating
remote control connections across the internet. For more details, see “Registering a
broker on the server” on page 243.
TRCICB-computername-suffix.log
where computername is the computer name of the broker and suffix is determined
by the LogRotation and LogRollover settings.
The broker log files are located in the \Broker directory within the brokers’s
working directory.
LogRotation
Controls the period after which an older log file will be overwritten. Log
rotation can be disabled. Default value is Weekly.
LogRollOver
Controls the period after which a new log file is started. This period has to
be smaller than the LogRotation period, therefore not all combinations are
valid. LogRollover cannot be disabled. Default value is Daily.
Use the set of default parameters, prefixed with Default to set your configuration,
and also configure multiple connections. The parameters have a set of default
values that you can be change. The values can be applied to the parameters
prefixed with Default and also to the connection parameters.
Table 12. Default parameter values
Keyword Default Value Required
ServerURL <blank> Yes
ProxyURL <blank> No
DefaultPortToListen <blank> Yes
DefaultBindTo 0.0.0.0 No
DefaultBindTo6 :: No
DefaultRetryDelay 45 No
DefaultKeepAlive 900 No
DefaultTLSCertificate server.pem No
DefaultTLSCertificatePassphrase <blank> No
DefaultTLSCipherList TLSv1+HIGH:!SSLv2:!aNULL:!eNULL No
:!3DES:@STRENGTH
DefaultHTTPSCipherList TLSv1:!SSLv2:!aNULL:!eNULL No
:!3DES:@STRENGTH
The default values can be used to set values for all connections. However, values
that are set for specific connections override the default value for that connection.
DefaultKeepAlive = 300
Inbound.1.ConnectionType = Inbound
Inbound.1.PortToListen = 8887
Broker.1.ConnectionType = Broker
Broker.1.DestinationAddress = broker1.example.com
Broker.1.DestinationPort = 8887
Chapter 23. Broker configuration 235
Broker.2.ConenctionType = Broker
Broker.2.DestinationAddress = broker2.example.com
Broker.2.DestinationPort = 8887
Broker.2.KeepAlive = 100
In this example, the DefaultKeepAlive value of 300 is used for the Inbound.1
connection and the Broker.1 connection. Setting the default parameter means that
you do not need to add the property to each specific connection. However, the
Broker.2 connection uses the KeepAlive value of 100 since the Broker.2.KeepAlive
property is set. The specific connection value overrides the default value.
Inbound.1.ConnectionType = Inbound
Inbound.1.PortToListen = 8887
Inbound.1.KeepAlive = 300
Broker.1.ConnectionType = Broker
Broker.1.DestinationAddress = broker1.example.com
Broker1.DestinationPort = 8887
Broker.1.KeepAlive = 300
Required parameters do not have a built-in default value. These parameters must
be set either to the value given in the file or within the connection configurations.
When a required parameter is set in the connection parameters, this value
overrides any default values set for the same parameter.
Table 13. Required parameters values used
Default parameter set Connection parameter set Value Used
No No Not defined, a required
parameter must be defined
in the configuration.
No Yes Connection parameter is
used
Yes No Default parameter is used.
Yes Yes Connection parameter is
used.
Optional parameters have a built-in default value. If the parameter is not set
within the default parameters or within the connection parameters, the built-in
default value is used. If the parameter is set within the default parameters, but is
not set within the connection parameters, the default parameter value is used by
any connections.
Parameter definitions
DefaultPortToListen
Defines the TCP port that endpoints must use to connect to this broker.
The port for listening for inbound connections. Required parameter.
DefaultSourcePort
Defines the port that the outgoing connection is using. This parameter is
optional. Default is 0.
DefaultBindTo
This parameter is optional. Defines the IP address that is used to create
connections with.
For example: my\connection.BindTo=192.0.2.0 Default is 0.0.0.0.
Optional parameter.
DefaultBindTo6
This parameter is optional. Defines the IP address that is used to create
connections with in IPv6 networks. Default is ::. Optional parameter.
DefaultRetryDelay
inbound connections
Defines the time in seconds between attempts to open the
configured port for listening for incoming connections. Default is
45 seconds.
broker connections
Defines the time in seconds between attempts to establish or
re-establish the control connection. This parameter is optional.
Default is 45 seconds.
DefaultKeepAlive
Defines the time in seconds between keepalive requests. This parameter is
optional. Default is 900 seconds.
DefaultTLSCertificateFile
Filename or path to the TLS certificate for this broker. For more
information on creating and managing broker certificates, see Chapter 25,
“Certificate management,” on page 245. Default is server.pem.
DefaultTLSCertificatePassphrase
Password for the private key that is associated with the TLS certificate This
parameter is optional.
DefaultTLSCipherList and DefaultHTTPSCipherList
Use this configuration keyword to override the selection of cipher suites
that can be used to secure network connections to or from a broker. A
cipher suite is a combination of four cryptographic algorithms that are
Note: The broker supports only TLSv1. Support for SSLv2 and SSLv3 is
disabled due to known vulnerabilities in those versions of the protocol,
even if you include SSLv2 or SSLv3 in the cipher list.
Types of cryptographic algorithms
Authentication
Verify the identity of the client or server that is using digital
certificates.
Key Exchange
Establish shared secrets to be used as encryption keys and message
authentication keys for the session.
Encryption
Protects the session data from being accessed by unauthorized
entities.
Message authentication
Protects the session data from being tampered with.
With the version of OpenSSL that is included with the broker component
and the default cipher list, the following ciphers can be used:
Encryption
v AES key length 256 bits
v AES key length 128 bits
Authentication
There are 3 networks present, an intranet, a DMZ network and an internet facing
network. A firewall between the Intranet and the Internet allows outbound
connectivity but blocks all inbound connections. There is also a security policy in
force that does not allow connections to be initiated from the DMZ to the intranet
or from the Internet Facing network to the DMZ.
Hosts in the Internet Facing network do not have public IP addresses. The internet
gateway uses DNAT to map internal IP addresses to public IP addresses, only for
the ports needed for specific public services. In this example, the public service is
the broker.
The broker requires connectivity to the server, but direct connections from the
Internet Facing network to the server are not allowed. A chain of gateways is
deployed to allow the broker to connect to the server.
The following tables provide details of the components and settings present in the
example environment.
Table 15. TRC components
Network
name Server Broker Gateway Controller Target
Intranet Yes No Yes Yes Yes
DMZ No No Yes No No
Internet No Yes Yes No No
facing
Internet No No No No Yes
Broker Configuration
The following section provides examples of what would be set in the broker and
gateway properties files for each of the relevant components.
BROKER1.example.com
PublicBrokerURL = BROKER1.example.com:8887
ServerURL = https://SERVER.example.com/trc/
ProxyURL = trcgw://GATEWAY3.example.com:8880
DefaultTLSCertificateFile = BROKER1.p12
DefaultTLSCertificatePassphrase = ************************
Inbound1.ConnectionType = Inbound
Broker2.ConnectionType = Broker
Broker2.DestinationAddress = BROKER2.example.com
Broker2.DestinationPort = 8881
BROKER2.example.com
PublicBrokerURL = BROKER2.example.com:8887
ServerURL = https://SERVER.example.com/trc/
ProxyURL = trcgw://GATEWAY3.example.com:8880
DefaultTLSCertificateFile = BROKER2.p12
DefaultTLSCertificatePassphrase = ************************
Inbound1.ConnectionType = Inbound
Inbound1.PortToListen = 8887
Inbound2.ConnectionType = Inbound
Inbound2.PortToListen = 8881
Inbound2.AllowEndpoints = no
Inbound2.AllowBrokers = BROKER1.example.com
Gateway Configuration
GATEWAY1
Gateway2.ConnectionType = Gateway
Gateway2.DestinationAddress = 10.2.0.254
Gateway2.DestinationPort = 8881
Server.ConnectionType = OutboundTunnel
Server.DestinationAddress = 10.1.0.2
Server.DestinationPort = 443
GATEWAY2
Inbound.PortToListen = 8881
Gateway3.ConnectionType = Gateway
Gateway3.DestinationAddress = 10.3.0.254
Gateway3.DestinationPort = 8881
GATEWAY3
Inbound.ConnectionType = Inbound
Inbound.PortToListen = 8881
Server.ConnectionType = InboundTunnel
Server.PortToListen = 8880
The registered broker list is passed from the server to the targets when the targets
register, in response to contact from the target, or at the start of a remote control
session. The list is stored in the target property BrokerList.
When a target user enters a connection code to start a remote control session using
a broker, the target machine tries to connect to each broker in the list until it makes
a successful connection to one of them. Therefore, when making changes to the
broker list you should ensure that there is still one unchanged broker in the list so
that the targets can still connect in a remote control session, then when they are in
the session they can contact the server and receive the updated broker list.
The broker is added to the IBM Endpoint Manager for Remote Control database.
To view the registered brokers select Admin > All Remote Control Brokers
243
Editing broker details
After registering a broker on the IBM Endpoint Manager for Remote Control server
you can use the edit broker feature to change any of the saved information for the
broker .
Deleting a broker
You can remove IBM Endpoint Manager for Remote Control brokers from the
database if they are no longer required.
To remove a broker from the All Remote Control Brokers page, complete the
following steps
1. Select Admin > All Remote Control Brokers
2. Select the required broker.
3. Select Delete Remote Control Broker.
4. Click Confirm on the Confirm deletion screen.
The selected broker is deleted from the IBM Endpoint Manager for Remote Control
database.
Note: Click Cancel on the confirm deletion screen to return to the previously
displayed screen and the broker is not deleted.
A separate certificate is required for each broker that is added to the IBM Endpoint
Manager for Remote Control infrastructure. This certificate needs to be trusted by
the components that can connect to the broker, that is other brokers, controllers
and targets and this is achieved by having signing certificates that are used to sign
the broker certificates. These certificates can be self-signed or part of a chain
coming from a valid internal or external Certificate Authority (CA). The signing
certificates are held in a trust store on the IBM Endpoint Manager for Remote
Control server and are used to verify the broker certificates.
Use a text editor or the UNIX cat command to combine all the items in a single
file.
IBM Endpoint Manager for Remote Control can use multiple types of Public Key
Infrastructure ( PKI)
v A commercial Certificate Authority ( CA)
v An internal CA
v Self signed certificates
There is no difference between using a commercial CA or an internal CA and it is
possible to mix the two kinds. For example, you can run the IBM Endpoint
Manager for Remote Control server with a self-signed certificate while running all
brokers with CA-signed certificates.
IBM Endpoint Manager for Remote Control provides two levels of certificate
validation, strict certificate validation and non-strict certification validation.
Non-strict certificate validation
245
v Non-strict certificate validation performs the following checks against
the certificate
– The identity of the certificate matches the hostname of the broker that
you are trying to connect to.
– The certificate is within its validity period.
In non-strict mode, the client does not need a trust store to perform the
validation.
You can access the IBM Key Management tool if you have the IBM Endpoint
Manager for Remote Control server installed with embedded components and also
if you have the controller component installed. It is also provided by IBM
WebSphere Application Server .
Note: If you are using WAS you should make sure that the 7.0.0-WS-WASSDK-*-
FP0000021 update or later has been applied, where * is the platform. For example
7.0.0-WS-WASSDK-WinX32-FP0000021
The .p12 file is created with the name and selected location chosen in step 7 and is
displayed in the list of personal certificates in the key management tool GUI.
Note: The key store contains the private key for the certificate and this must be
kept secure at all times. It is recommended that the original copy of the keystore is
stored in a secure disk, for example an encrypted USB storage device or similar.
Keeping a secure backup of the original keystore is also recommended.
You should copy the new certificate to the broker machine and configure the
broker properties. For more details, see “Configuring the keystore on the broker.”
To configure the keystore on the broker you require a .p12 file when using self
signed certificates, see “Creating a self signed certificate” on page 246 or a .pem file
if using CA certificates, see “Certificate Authority signed certificates” on page 249.
The IBM Endpoint Manager for Remote Control controller and target, instructed by
the remote control server, uses strict certificate validation by default and requires a
trust store. Normally, a trust store contains the Certificate Authority's root
certificates but when using self-signed certificates, there is no CA.
When using strict certificate verification, the certificate needs to be exported from
the keystore and uploaded to the IBM Endpoint Manager for Remote Control. The
target downloads and caches the trust store when registering, during the call home
process with the server or during a remote control session. The controller
downloads the trust store at the start of the remote control session.
The certificate file, with extension .arm, will be extracted to the chosen location.
After you have extracted the certificate from the keystore you should add it to the
trust store on the remote control server. For more details, see “Adding a certificate
to the truststore” on page 250.
To use a Certificate Authority (CA) signed certificate you should obtain the
following items
v A certificate for each broker in your environment.
v The root certificate and any intermediate certificates for the CA.
Note: As different CA’s will operate in different ways you should consult the CA’s
documentation for instructions on how to obtain these.
When you have obtained the relevant certificate files you should copy the
certificate to the broker machine and configure the broker properties, for more
details, see Chapter 23, “Broker configuration,” on page 229. The root certificate
should be added to the IBM Endpoint Manager for Remote Control server, see
“Adding a certificate to the truststore” on page 250.
Truststore configuration
The IBM Endpoint Manager for Remote Control server holds the truststore that is
used for verifying the broker certificates.
This truststore is provided to the controller system when a remote control broker
session is initiated. It is sent also to the target system after the target contacts the
server. The certificates that are contained in the truststore are not generated by the
server. They are imported into the truststore by an administrator.
Note: The truststore received in the response from the server is stored on the
target in the directory that is defined in the TrustStoreDir target property.
If you are using self-signed certificates, you must extract the certificate from the
keystore file. For more information about extracting the certificate, see “Extracting
the certificate from the keystore” on page 248. If you are using a CA certificate,
you are required only to add the root certificate to the server.
You can add a certificate to the truststore by completing the following steps:
1. Log on to the IBM Endpoint Manager for Remote Control server with a valid
admin ID and password.
2. Open the certificate file in a text editor. Select the certificate and copy it to the
clipboard. Select everything, including the BEGIN CERTIFICATE and END
CERTIFICATE lines.
3. Select Admin > New Trusted Certificate.
4. Paste the certificate data from the clipboard into the Certificate field.
5. Click Submit. The certificate details are shown.
6. Verify that the correct certificate is shown and click Submit.
To view the list of certificates in the truststore, select Admin > All Trusted
Certificates.
Note: After you edit certificates in the truststore, all targets must be forced to
contact the server so that they update their local truststore. You must make sure
that the certificates on the broker also contain the new details. Otherwise, the
target cannot access those brokers whose certificate you changed. The target will
then automatically update the truststore during the session and can use the new
certificate details in the future.
When you are using CA signed certificates, only the root certificate must be in the
server truststore. Root certificates typically have a long lifespan, with typical
current CA certificates not expiring until after 10 or 20 years at the time of writing.
The SSL certificates signed by the CA usually expire after one year. However, you
must update only the SSL certificate on the broker. There is no need to update the
truststore on all of the endpoints if any of the following conditions are true.
v The new SSL certificates for the broker are issued by the same CA.
v The root certificate for the CA is already in the truststore on the server and it
has been passed to all of your endpoints,
Create your self-signed certificate and distribute it to all the endpoints before you
install it on the broker. To migrate to a new certificate, complete the following
steps:
1. Generate the new certificate before the old certificate expires. For more
information about creating a certificate, see “Creating a self signed certificate”
on page 246. When to do this is determined by how long, you think it takes to
update the endpoints with the new certificate. Leave the broker running with
the old certificate until just before the expiration date.
2. Add the new certificate to the truststore on the server. For more information
about adding a certificate, see “Adding a certificate to the truststore” on page
250.
v Targets that call home from inside the intranet automatically receive the new
certificate from the server and update their truststore.
v Targets that successfully start a session through a broker also automatically
update the truststore. Therefore, the broker must continue running with the
old certificate because the target trusts this certificate. The target does not yet
trust the new certificate, and therefore would be unable to start a session
through the broker.
3. Install the new certificate on the broker before the old certificate expires, For
more information about installing a certificate, see “Configuring the keystore on
the broker” on page 247.
4. Remove the old certificate from the truststore after it expires.
When the old certificate expires, all targets that updated their truststore, can
establish a remote control session by using the broker.
253
254 IBM Endpoint Manager for Remote Control Administrator’s Guide
Chapter 27. Configuring the session connection code
You can define the number of characters required and the timeout value, for the
connection code used when starting a remote control session through a broker.
255
256 IBM Endpoint Manager for Remote Control Administrator’s Guide
Chapter 28. Target registration before a remote control
session
When you have targets that are on the internet or third-party networks and cannot
register directly with the IBM Endpoint Manager for Remote Control server you
can configure server properties to allow the target to register with the server. When
the target registers, you can start a remote control session with the target, by using
a broker.
You can also configure the target properties to assign the target to specific target
groups when it registers with the server.
Server properties
Target properties
The following target property values must be set to allow the target to register
with the server.
v Managed = Yes
v ServerURL = the host name or IP address of the server that you want the target
to register with.
v BrokerList = the list of host names or IP addresses of the brokers and their
ports, that you want the target to connect to. In the format
hostname1:port,hostname2:port,hostname3:port.
Note: You must restart the target service when you change target property values
so that the new values take effect.
You can assign the target to other target groups when it registers, instead of the
DefaultTargetGroup, in two ways.
Using the target group override option.
Set the allow.target.group.override property to true to assign the target
to the groups listed in the GroupLabel target property, instead of the
DefaultTargetGroup.
257
1. Edit the trc.properties file and set allow.target.group.override =
true.
2. Save the file.
3. Edit the target properties and set GroupLabel to a list of target groups.
If you define rules and the target group override function is also enabled, the
target is assigned to the target groups that are defined for both of these options
when it registers.
There can be cases where the remote control session cannot start for the following
reasons.
v The target was not assigned to any groups.
v The group assignment configuration is incorrect.
v The target is assigned to a group that the controller user does not have
permissions to access targets from.
In all cases, no policies can be derived for the session, so even though the target is
registered in the server, the session is rejected.
Note: On a 64 bit system all the 32-bit registry keys are under the
WOW6432Node key, for example: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\
IBM\Tivoli Remote Control\Target
2. Right-click the required property and select Modify
3. Set the required value and click OK.
4. Restart the target service.
Modify this parameter within the Windows registry by completing the following
steps:
1. At a command prompt type regedit.
2. Navigate to \HKEY_LOCAL_MACHINE\SOFTWARE\IBM\Tivoli\Remote
Control\Target
3. Right-click LocalIPInterface and select Modify.
4. Enter the required IP address in the Value data field and click OK.
5. Restart the target service.
The windows target will use the defined IP address for remote control sessions and
for reporting to the IBM Endpoint Manager for Remote Control server.
259
Specifying an IP address for a Linux target
Use the, LocalIPInterface, property to specify the IP address that the Linux target
will use for connecting to the IBM Endpoint Manager for Remote Control server.
Modify this parameter within the IBM Endpoint Manager for Remote Control
Linux target configuration file by completing the following steps
1. Edit the ibmtrc.conf file
2. Set the value of LocalIPInterface to the required IP address and save the file.
3. Restart the target service.
Note: Collaboration should also be started for the join feature to be enabled.
Configuring LDAP
IBM Endpoint Manager for Remote Control provides Lightweight Directory Access
Protocol Version 3 support that you can use to enable authentication and
integration of users and their associated group membership into the IBM Endpoint
Manager for Remote Control database.
To perform the basic configuration for LDAP authentication complete the following
steps :
1. Click Admin > Edit properties file.
2. Ensuring that you are editing the common.properties file, edit the following
properties
authentication.LDAP
to enable or disable LDAP authentication.
true LDAP user authentication is performed.
261
false LDAP user authentication is not performed. Users are
authenticated using the IBM Endpoint Manager for Remote
Control database.
authentication.LDAP=true
authentication.LDAP.config
Defines the file containing the LDAP configuration properties
authentication.LDAP.config=ldap.properties
sync.ldap
used to synchronize the users and groups from Active Directory with
the IBM Endpoint Manager for Remote Control database. Takes the
values true, to synchronize or false, for no synchronization.
true The LDAP server is synchronized with the IBM Endpoint
Manager for Remote Control database to reflect any changes
made in LDAP.
false No synchronization takes place. If synchronization is disabled,
you should manually import the users into the IBM Endpoint
Manager for Remote Control database otherwise they will not
be able to logon to the IBM Endpoint Manager for Remote
Control server. The users must exist in the IBM Endpoint
Manager for Remote Control database so that they can be
associated with the relevant permissions required to establish
remote control sessions.
Note: If you change this value, restart the server service for the
new value to take effect.
scheduled.interval.period
The unit of time to be used along with the scheduled interval
to specify how often the server should check for scheduled
tasks. Default is minutes.
Any changes to the ldap.properties file will not take effect until the IBM
Endpoint Manager for Remote Control application is reset using Admin,Reset
Application. To avoid multiple restarts or an extended outage use an LDAP
browser and the LDAP Configuration Utility as an aid to the entire configuration
process.
DC=mydomain,DC=mycompany,DC=com
After the information has been entered, the LDAP Browser displays attribute
names and values available at the root of the Active Directory tree.
When a connection is established use the same information used in the LDAP
browser to set the parameters in the ldap.properties file.
v Click Admin > Edit properties files
v Select ldap.properties from the list
v When modifications are complete, click Submit
The application must be reset for the changes to take effect. Click Admin > Reset
Application or restart the server service.
The properties file can also be edited manually by locating it on the IBM Endpoint
Manager for Remote Control Server, which is usually in the following location
[installdir]wlp\usr\servers\trcserver\apps\TRCAPP.ear\trc.war\WEB-INF\
classes directory (where installdir is the directory that the IBM Endpoint Manager
for Remote Control Server is installed in
for example :
C:\Program Files\IBM\Tivoli\TRC\server\wlp\usr\servers\trcserver
\apps\TRCAPP.ear\trc.war\WEB-INF\classes
Note: IBM Endpoint Manager for Remote Control is provided with a default
ldap.properties file and many of the extended configuration options are
commented out. To enable these, the file must be edited manually
Note: Check that a successful connection to the LDAP browser can be established
by using these credentials to verify that they are valid.
1. Edit the ldap.properties file.
2. Configure the following properties.
ldap.connectionName
The username that is used to authenticate to a read-only LDAP
connection. If left not set, an anonymous connection is attempted.
For example : [email protected]
ldap.connectionPassword
The password that is used to establish a read-only LDAP connection.
The password can be entered here in plain text or it can be encrypted.
ldap.connectionPasswordEncrypted
True The LDAP password is encrypted.
False The LDAP password is not encrypted and entered as plain text.
Use the following method to generate the encrypted password.
In a Windows system.
a. Open a command prompt window and type
cd [installdir]\wlp\usr\servers\trcserver\apps\TRCAPP.ear\trc.war\
WEB-INF\lib
Note: This command is all on one line with a space between jar
and com.
c. The output from the command is the following
Encrypted Password : [encrypted password]
Decrypted Password : [text version of password ]
For example,
Encrypted Password: 10|ydEBl67atSSbrAA=
Decrypted Password: myPassw0rd
Edit the ldap.properties file and set the ldap.connectionPassword
property to the encrypted password value. The decrypted password
is shown to verify that the encryption is valid.
Connection Security
The following properties define the level of security to be used on the connection
to the LDAP server. Set the following parameter to simple so that the IBM
Endpoint Manager for Remote Control can communicate with the majority of
Active Directory servers.
ldap.security_authentication
Specifies the security level to use. Value can be set to one of the following
strings: none, simple, strong. If this property is unspecified, the behavior is
determined by the service provider.
ldap.security_athentication=simple
While most LDAP servers support simple plain text login, some Active Directory
administrators require a secure connection. IBM Endpoint Manager for Remote
Control supports two types of secure connections to an Active Directory server,
SASL (Digest-MD5) or SSL. If you are having trouble connecting to the Active
Directory server and see the following error in the trc.log:
LDAP Authentication.exception[LDAP: error code 8 - 00002028: LdapErr: DSID-0C09018A,
comment: The server requires binds to turn on integrity checking if SSL\TLS are not
already active on the connection, data 0, vece ]
IBM Endpoint Manager for Remote Control will need to be configured for either
SASL or SSL connections.
Note: It should be noted that when LDAP has been enabled, new users and new
user groups should be created in Active Directory and not in IBM Endpoint
Manager for Remote Control. This is because each time the synchronization with
Active Directory takes place the users and user groups are deleted from the IBM
Endpoint Manager for Remote Control database and then imported again from
Active Directory.
You can refine your search by going deeper into the OU structure and
selecting to search only within a specific organizational unit for example an
OU called Users and therefore you would set the property value as
ldap.userBase=OU=Users,ou=mylocation,dc=mydomain,dc=mycompany,dc=com
This would instruct IBM Endpoint Manager for Remote Control to look for
users matching the criteria, only within the Users OU (and any OUs that
belong to the Users OU if ldap.groupSubtree is set to true)
ldap.userSearch
Defines the LDAP query that is used to import Active Directory users to
IBM Endpoint Manager for Remote Control. The defined query needs to
filter the results such that only those users which match the search criteria
are imported to IBM Endpoint Manager for Remote Control. The default
value is
(objectClass=user)
Note: When using the above it should be noted that some environments
can have thousands of users therefore it is important to create a filter
which will only import the required users. To limit the users that are
imported to only those users who match the search criteria and are
members of the groups that were imported into IBM Endpoint Manager for
Remote Control through the ldap.groupSearch filter, you should set the
property ldap.userInGroup to true. It should also be noted that as well as
being imported into the relevant groups that are returned in the group
search, users are also imported into the DefaultGroup. Setting
ldap.userInGroup to false will import all users who match the search
criteria, regardless of their group membership.
The search can therefore be further refined by using more complex queries.
For example if you have the following values set
ldap.groupBase=(OU=mylocation.DC=mycompany.DC=com)
Ldap.userSearch: (&(objectClass=user)(|(memberOf=CN=Department1,OU=GROUPS,
OU=mylocation,DC=mycompany,DC=com) (memberOf=CN=Department3,OU=GROUPS,
OU=mylocation,DC=mycompany,DC=com))(name={0}))
To refine your search and go deeper into the OU structure, select to start
the search only within a specific organizational unit, for example, an OU
called Test. To refine this search set the property value as
OU=Test,OU=mylocation,DC=mycompany,DC=com
This would instruct IBM Endpoint Manager for Remote Control to look for
groups matching the criteria, only within the Test OU (and any OUs that
belong to the Test OU if ldap.groupSubtree is set to true)
ldap.groupSearch
Defines the LDAP query that is used to import AD groups to IBM
Endpoint Manager for Remote Control. The defined query needs to filter
the results such that only those groups which are needed are imported to
IBM Endpoint Manager for Remote Control.
ldap.groupSearch=(objectClass=group)
Imports all AD groups found in the OU specified in the
ldap.groupBase property to IBM Endpoint Manager for Remote
Control. Be aware some environment can have thousands of
groups.
ldap.groupSearch=(&(objectClass=group)(cn=*SMS*))
Imports all groups that contain SMS in the cn attribute, for
example visio-sms-users
ldap.groupSearch=(&(objectClass=group)(cn=admins))
Imports all groups that are named admins.
ldap.groupSearch=(&(objectClass=group)(cn=admins*))
Imports all groups which have admins in the name for example
administrators, server-administrators.
ldap.groupMembers
ldap attribute name to be used to find the members of the groups that are
returned as a result of the specified search. The default value is member.
When the service has restarted logon to the IBM Endpoint Manager for Remote
Control server using an Active Directory userid and password. If the entries in the
LDAP properties file are correct you are authenticated and logged on successfully.
IBM Endpoint Manager for Remote Control Server connects directly to LDAP
therefore, any password changes within LDAP are immediately effective as long as
the LDAP password change has synchronized to the LDAP server which is set
within the ldap.properties file.
Note: The default ADMIN userid within the IBM Endpoint Manager for Remote
Control Server application will always authenticate against the IBM Endpoint
Manager for Remote Control Server database regardless of whether LDAP
authentication is enabled. This is to allow a mechanism for accessing the
application, should there be a connectivity problem between IBM Endpoint
Manager for Remote Control Server and LDAP.
If there are any errors in the ldap.properties file you will see a message that the
login has failed. The Logon screen is displayed with an Invalid username or wrong
password message.
To determine the cause of the failure look in the trc.log file. View the application
log using the Admin menu by completing the following steps.
v In the IBM Endpoint Manager for Remote Control Server UI, click Admin >
View application log
v Click CTRL+END to reach the end of the file.
Some common errors are listed below. Please note that the presence of these errors
indicates that there was a problem creating the initial connection between IBM
Endpoint Manager for Remote Control Server and Active Directory.
AcceptSecurityContext error, data 525
Returns when username is invalid
AcceptSecurityContext error, data 52e
Returns when username is valid but password or credentials are invalid.
Will prevent most other errors from being displayed as noted.
AcceptSecurityContext error, data 530
Logon failure: account logon time restriction violation. Displays only when
presented with valid username and password credential.
AcceptSecurityContext error, data 531
Logon failure user not allowed to log on to this computer. Displays only
when presented with valid username and password credential
AcceptSecurityContext error, data 532
Logon failure: the specified account password has expired. Displays only
when presented with valid username and password credential.
After the groups have been imported into IBM Endpoint Manager for Remote
Control, define permissions for the newly imported groups.
# 5724-N88 5725-C431
# LDAP Properties
ldap.connectionURL=ldap://myldapserver
# define the secondary LDAP server name, if the primary is down we can use an
alternative LDAP server
#–ldap.alternateURL=
ldap.connectionPassword=myPassword
ldap.connectionPasswordEncrypted=false
# The fully qualified Java class name of the JNDI context factory to be used for
# this connection. If left unset, the default JNDI LDAP provider class is used.
# --- -ldap.contextFactory=com.sun.jndi.ldap.LdapCtxFactory
# specifying the security level to use. Its value is one of the following strings:
"simple" or "DIGEST-MD5".
ldap.security_authentication=simple
#Identifies the realm or domain from which the connection name should be chosen
# ---- ldap.connectionRealm=
#Quality of protection
# ----ldap.connectionQop=auth
# Number indicating the size of the largest buffer the server is able to receive
when
# ldap.connectionMaxbuf=16384
# ----ldap.connectionStrength=high
# the service provider (for example: "ssl"). If this property is unspecified, the
behaviour
# ----ldap.security_protocol=ssl
# Access the keystore, this is where the Root CA public key cert was installed
# ----ldap.ssl_keyStore=PathOfKeyStoreFile
# ----ldap.ssl_keyStorePassword=KeystorePassword
# ----ldap.referrals=follow
# The base LDAP directory entry for looking up group information. If left
unspecified,
ldap.groupBase=OU=Groups,OU=mylocation,DC=mydomain,DC=mycompany,
DC=com
ldap.groupSearch=(&(objectClass=group) (name=TRC*))
# Set to true if you want to recursively search the subtree of the element specified
in
# value of false causes only the top level to be searched (a nonrecursive search).
ldap.groupSubtree=true
ldap.groupName=name
ldap.groupDescription=description
ldap.groupMembers=member
ldap.userBase=OU=Users,OU=mylocation,DC=mydomain,DC=mycompany,
DC=com
# The LDAP filter expression to use when searching for a user's directory entry,
with {0} marking
ldap.userSearch=(&(objectClass=User)(sAMAccountName={0}))
# Set this value to true if you want to recursively search the subtree of the element
specified by
# the userBase attribute for the user's directory entry. The default value of false
causes only the
ldap.userSubtree=true
#Set this value to true if a user has to be a member of the groups found in the
group search
ldap.userInGroup=true
# Remote control will use it to encrypt the user input password and
# compare it with password it receives from the LDAP server. If left unspecified,
the default value is "cleartext".
ldap.userid=sAMAccountname
ldap.userPassword=password
ldap.userEmail=userPrincipalName
# If the following parameters are defined they is mapped into the local remote
control database
ldap.forename=givenName
ldap.surname=sn
ldap.title=title
ldap.initials=initialsg
ldap.company=company
ldap.department=department
ldap.telephone=telephoneNumber
ldap.mobile=mobile
ldap.state=st
ldap.country=Co
#Set this value to the page size of LDAP search retrievals (default=500).
# Do not set this to anything greater than the max page size for the LDAP server (
for example, AD has a limit of 1000)
ldap.page.size=500
Import data from csv files into the IBM Endpoint Manager for Remote
Control database
Use comma-separated text files to import numerous records of information into the
IBM Endpoint Manager for Remote Control database instead of adding the records
individually. Using these files with import templates, that are used to map the data
in your file to the relevant columns in the database tables. You can import the data
into the database in one go. For example, multiple users details can be imported
into the database from a csv file rather than having to be entered individually.
FORENAME,SURNAME,EMAIL
Fred,Bloggs,[email protected]
John,Smith,[email protected]
David,Brown,[email protected]
Mary,Smith,[email protected]
Fred,Bloggs,[email protected]
John,Smith,[email protected]
David,Brown,[email protected]
Mary,Smith,[email protected]
When you have created your csv file, map this data to the IBM Endpoint Manager
for Remote Control database using a template that will import the data into the
correct tables in the database.
Note: USERKEY is not the same as USERID, it is USERID that must be used.
Note: If you click Update after you select the file encoding, you must
check that the required encoding is still selected. If it is not, select the
encoding value.
File Delimiter
Type the character that separates the columns in the file.
for example: , or /
File Encoding
Used to select the file encoding that applies to your CSV file so that it
can be interpreted correctly. Choose the appropriate method for
selecting the file encoding.
v Select the required file encoding from the list.
v Type in all or part of the file encoding name and click Search.
v Leave the field with no selection and the ASCII UTF-8 file encoding
is used.
Date Format
If you require dates to be imported, follow the instructions on screen
for determining the format.
Create Assets?
true If the data that you are importing applies to a target that is not
already in the ASSET table, create a target. The ASSET table
contains the details of already registered targets.
false If the data that you are importing applies to a target that is not
already in the ASSET table, do not import the data into the
database.
Note: Select only the columns that you want to import the data for,
you do not have to import every column.
USERID, FORENAME,SURNAME,,LOCATION
awilson,Alan,Wilson,Greenock
The import template is created. Use the template to import a csv file and map the
data in the csv file correctly to the relevant tables in the database. For more
information about importing a csv file, see “Importing a csv file.”
Note: If you click the update button after you have selected the file encoding,
you will need to check that the required encoding is still selected, if not re
select the encoding.
5. Click Submit
The selected import template is removed and is no longer listed in the All
Templates report.
To add the data into the database, complete the following steps :
1. Click Admin > Import Data > Import File. The Import Existing Data screen is
displayed
2. Choose the appropriate method for selecting your csv file.
a. Click Browse to navigate to and select the required csv file.
b. Type in the path and name of the file that you wish to import
Note: If your file has a header in it, it will match automatically with a defined
template and therefore no selection is required.
4. Click Submit The message File has been queued for processing is displayed
Your data is added to the database. You can check this by displaying the relevant
report for this data. For example if you have added user data, you can use the All
users report to check that the data has been added correctly.
The following information is provided to help you understand the overall structure
of the built-in database and to help you understand how information is divided
into each table.
Note: Some of the tables described in this section are not used by the current
version of IBM Endpoint Manager for Remote Control and are considered
deprecated. They might be removed in future versions of the product.
283
Table 21. ACCESSREQUESTTARGETS table (continued)
TABLE NAME COLUMN NAME TYPE NAME LENGTH NULLS
TARGETGROUPKEY INTEGER 4 No
Table 22. ASSET table - Main Target table for storing the majority of the Target information
TABLE NAME COLUMN NAME TYPE NAME LENGTH NULLS
ASSET HWKEY INTEGER 4 No
MAX_REVISION INTEGER 4 No
MAX_PROCESSED_REVISION INTEGER 4 No
IS_PC_ASSET CHARACTER 1 No
USERKEY INTEGER 4 No
UUID VARCHAR 32 Yes
SERIAL_NO VARCHAR 64 No
MANUFACTURER VARCHAR 64 Yes
MODEL VARCHAR 64 Yes
COMPUTERNAME VARCHAR 64 Yes
CUR_USER VARCHAR 64 Yes
ENCLOSURE VARCHAR 64 Yes
DOMAIN_NAME VARCHAR 64 Yes
MAC_ADDRESSES VARCHAR 128 Yes
IP_ADDRESSES VARCHAR 64 Yes
DATE_TIME TIMESTAMP 10 No
FIRST_OWNED_DATE TIMESTAMP 10 Yes
IS_LPAR INTEGER 4 No
PARENT_HWKEY INTEGER 4 No
Table 24. ASSET_INFO table - Table for storing additional Asset information. Holds the full
demographic information and 9 custom fields
TABLE NAME COLUMN NAME TYPE NAME LENGTH NULLS
ASSET_INFO HWKEY INTEGER 4 No
DESCRIPTION VARCHAR 30 Yes
COMPANY VARCHAR 40 Yes
LOCATION VARCHAR 60 Yes
Login failure
When you cannot logon to the IBM Endpoint Manager for Remote Control server
you can try the following options.
Login failure when there is no LDAP/AD authentication
v Verify that the database is up and confirm that the application can
connect to it. If there is a connection issue, this is logged in the trc.log
file
This file can be found in the IBM Endpoint Manager for Remote Control
server installation directory, specified at installation. For details, see the
IBM Endpoint Manager for Remote Control Installation Guide .
v Restart the database, then restart the IBM Endpoint Manager for Remote
Control server service
Login failure when LDAP /AD authentication is enabled
Verify that the IBM Endpoint Manager for Remote Control admin account
can log on locally . If the admin user can logon locally then there may be a
connectivity problem between IBM Endpoint Manager for Remote Control
and LDAP. Again the trc.log file can be accessed to see what errors have
occurred.
Note: The default admin userid within the IBM Endpoint Manager for
Remote Control Application will always authenticate against the IBM
Endpoint Manager for Remote Control database regardless of whether
LDAP authentication is enabled.
To view a log of all server and database activities, click Admin > View
Application Log. The content of the Application Log is displayed on the screen. To
see the most recent activities, scroll to the bottom of the file.
Note: From the Admin menu, select Send Application Log, to open or save the
application log file, trc.log, for attaching to an email.
Log4j logging
The log4j package is used to provide additional logging information and this can
be useful when trying to debug a problem using the application log file. The level
of logging can be controlled by the property values in the log4j.properties file.
For more details, see Chapter 21, “Editing the properties files,” on page 171. The
following levels of logging are available:
v ALL
v DEBUG
v INFO . This is the default value
v WARN
v ERROR
v FATAL
v OFF
To obtain more information for debug purposes complete the following steps
1. Click Admin > Edit properties file
2. Select log4j.properties from the list
3. Set log4j.logger.com.ibm=DEBUG, Set this value to log information from debug
messages to fatal messages.
4. Click Submit.
5. Restart the IBM Endpoint Manager for Remote Control- server service
6. Perform the steps that are causing a problem with the application.
7. Click Admin > View Application Log to view the log information or select
Send Application Log to save the log file.
There might be multiple copies of trc log files. All of these log files are helpful
when debugging a problem and can be sent to the support team when you have a
problem. The value of log4j.logger.com.ibm must be set back to INFO when
finished.
Note: On a 64 bit system all the 32-bit registry keys are under the
WOW6432Node key. For example: HKEY_LOCAL_MACHINE\SOFTWARE\
WOW6432Node\IBM\Tivoli Remote Control\Target
2. Right-click DebugTrace and select Modify
3. Set the value to YES and click OK.
4. Restart the target service.
5. Start a session with the required target and perform the steps required
for creating the problem.
6. End the session.
The log files are found in the location defined by the WorkingDir property
in the target registry.
Linux systems
1. Edit the ibmtrct.conf file
2. Set the value of DebugTrace to YES and save the file.
3. Start a session with the required target and perform the steps required
for creating the problem.
4. End the session.
The log files are found in the location defined by the WorkingDir property
in the ibmtrct.conf file.
Note: When you finish gathering log files, set the value of DebugTrace to No and
restart the target service.
The broker log files are located in the \Broker directory within the brokers’s
working directory.
Windows systems
On Windows 2000, Windows XP, and Windows 2003 operating systems
Documents and Settings\All Users\ Application Data\IBM\Tivoli\Remote
Control\Broker
On Windows Vista operating system and later
\ProgramData\IBM\Tivoli\Remote Control\Broker
Linux systems
/var/opt/ibm/trc/broker
To add the IBM Endpoint Manager for Remote Control program to the Trust Sites
zone, perform the following steps:
1. In Internet Explorer, click Tools > Internet Options.
2. Click the Security tab.
3. Click Trusted sites.
4. Click the Sites... button.
5. Clear the check box beside "Require server verification (https:) for all sites in
this zone".
6. Type the server address in the "Add this Web site to the zone:" field.
7. Click Add.
> mytrcserver.location.uk.example.com
Server: gbibp9ph1--31ndcr.wan.example.com
Address: 192.0.2.21
Name: mytrcserver.location.uk.example.com
Address: 192.0.2.25
> 192.0.2.25
Server: gbibp9ph1--31ndcr.wan.example.com
Address: 192.0.2.21
Name: mytrcserver.location.uk.example.com
Address: 192.0.2.25
In the example you can see that the server hostname resolves to the correct
IP address.
Note: If the IP address of the IBM Endpoint Manager for Remote Control
server changes at any time this is not reflected in the IBM Endpoint
Manager for Remote Control application, therefore it is important to make
sure that the URL property in trc.properties is updated and the server
restarted as the targets will try to contact the old IP address till the change
to the property is made.
A default time period of 30 minutes is set in the WEB. XML file that is installed with
the server. You can increase the timeout value by editing the WEB. XML file.
For a server that is installed by using the server installer, the file is in the following
directory, \[server installation directory]\wlp\usr\servers\trcserver\apps\
TRCAPP.ear\trc.war\WEB-INF.
<session-config>
<session-timeout>30</session-timeout>
</session-config>
3. Set the timeout value to the number of minutes.
4. Save the file.
5. Restart the server service.
Note:
1. The workaround is defined through a target group attribute and not a policy.
Therefore, if you start a session immediately after you change the setting, it
might not be updated in the target yet.
The following messages are displayed depending on the value that selected for the
properties and whether a user is logged at the target computer.
Table 96. Workaround messages
Message Message
#1 Message ID Message text parameters
1 IBM Endpoint Manager for {0} Remote
workaround.w2k3rdp. Remote Control is unable to Desktop Client's
console.unavailable control this target system user name {1}
because the Windows Remote Desktop
console is in a Remote Client's computer
Desktop session with user name {2} Remote
{0} connected from {1} ({2}) Desktop Client's IP
address
2 IBM Endpoint Manager for
workaround.w2k3rdp. Remote Control is unable to
console.reset control this target system
because the Windows
console is unavailable while
it is being reset. This might
take a few minutes. You can
stop the Remote Control
session at any time.
3 IBM Endpoint Manager for
workaround.w2k3rdp. Remote Control is unable to
disabled control this target system
because the Windows
console is unavailable and
the automatic reset is not
enabled.
4 IBM Endpoint Manager for
target.capture. Remote Control is unable to
failed.start control this target system
because the display capture
process failed to start.
Getting Help
If you have a problem with the IBM Endpoint Manager for Remote Control Server
program or have questions about a specific feature, a variety of sources are
available to help you including
v Documentation
v Web Pages
You are taken to the IBM Endpoint Manager for Remote Control infocenter where
you can select the required documents.
http://pic.dhe.ibm.com/infocenter/tivihelp/v26r1/index.jsp?/topic/
com.ibm.tem.doc_9.1/remotecontrol.html
The list of IBM Endpoint Manager for Remote Control documents are listed.
Explore the relevant document.
Note: The host name that is defined in PublicBrokerURL must match the
host name that is defined in the certificate for the broker. It must also
match the host name that you use to register the broker in the remote
control server.
For more information about broker properties, see “Configuring the broker
properties” on page 229.
What session modes are available for remote control sessions that connect
through a broker?
When you start a remote control session through a broker, an Active
session is initiated by default. However, if Active mode is not enabled in
the session policies that are defined for the session, the next available
session mode is used. The following order of precedence applies,
Guidance, Monitor, Chat, File transfer. In addition, if user acceptance is
enabled for the session, the target user can select a different session mode
to start from the acceptance window. For more details about starting a
broker session, see the IBM Endpoint Manager for Remote Control
Controller User's Guide.
How do I create a certificate?
If you are using a Certificate Authority (CA) certificate, you must consult
their documentation to see how the root certificate and any relevant
intermediate certificates can be obtained. For self-signed certificates, you
can use the key management tool iKeyman. This tool is included with IBM
Endpoint Manager for Remote Control and is also available through IBM
WebSphere Application Server. For more information about creating
certificates, see “Creating a self signed certificate” on page 246.
What do I do if my certificate is about to expire?
You can add a certificate to the broker and to the truststore on the server.
However, to allow the target to start a session through the broker it must
continue to use the old certificate. The reason for this is that the target
does not yet trust the new certificate, therefore it would be unable to start
a session. For more information about changing to a new certificate, see
Chapter 26, “Migrating to a new certificate,” on page 253.
Overview
There are three types of connections used between the TRC components:
v The target uses HTTP connections to the server for registration and heartbeats.
v The controller uses TRC’s own protocol for remote control sessions to the target.
By default, the target uses port 888.
v The controller uses HTTP connections to launch a session.
317
Scenario 1 - Several networks using Network Address Translation
(NAT)
Gateway1 Server
Router
NAT Router
NAT Router NAT Router
Gateway2 Gateway3
Gateway4
Targets
Targets Targets
Branch2 BranchN
Branch1 Subnet 10.0.0/16
Subnet 10.0.0/16
Subnet 10.0.0/16
In this scenario, there are multiple networks with targets in all of the networks and
the controllers all in the Company Head Office. The NAT routers in the branches
prevent the controllers from connecting directly to the targets in the branches and
therefore, a gateway must be installed in each network.
Similarly, Gateway 1 cannot connect directly to the gateways in the branches and
therefore, Gateway 2, 3 and 4 must connect to it first.
In such a scenario, Gateway 1 must be able to accept the connections from the
other gateways and from controllers trying to initiate remote control sessions
against targets located in other networks.
The inbound connection, named Inbound.1 in this example, will allow connections
from the other gateways on port 8881. The optional parameters can be configured
as required.
In this case, there are no inbound connections because there are no controllers or
gateways connecting to Gateways 2, 3 and 4. These gateways are connecting to
Gateway1 and this is defined by the Gateway.1 connection which has a connection
type, gateway. The DestinationAddress of Gateway.1 is set to the IP address for
Gateway1 and DestinationPort must match whatever is defined in Gateway 1
PortToListen. AllowEndpoints is set to true.
In the trc server, you would also add Gateway1 by clicking on Admin > New TRC
Gateway. The port number would be the one defined in the
Inbound.1.PortToListen property.
Scotland Canada
Gateway1
- Controller Gateway2 Controller
Target Firewall
Firewall
Http Proxy
Http Proxy Target
Server
- Controller Gateway4
Gateway3
Firewall Firewall
Http Proxy Target
Target Http Proxy
South Korea
New Zealand
In this scenario the targets and controllers are distributed over several locations, all
of which are protected by a firewall. The firewalls prevent the controllers from
connecting directly to the target in remote locations, but they do allow the
gateways to connect to gateways and gateways only, in remote locations. The existing
HTTP Proxy servers, allow the targets to connect to the server.
Therefore the configuration file for the gateways will contain the following entries:
Inbound.1.PortToListen = 8881
# Optional:
# Inbound.1.BindTo = 0.0.0.0
# Inbound.1.RetryDelay = 45
# Inbound.1.Passphrase =
Inbound.1.AllowGateways = true
Inbound.1.AllowEndpoints = true
Gateway.X.ConnectionType = Gateway
Gateway.X.DestinationAddress = gatewayX_ipaddress
Gateway.X.DestinationPort = 8881
# Optional:
# Gateway.X.BindTo = 0.0.0.0
# Gateway.X.SourcePort = 0
# Gateway.X.RetryDelay = 45
# Gateway.X.KeepAlive = 900
# Gateway.X.Timeout = 90
# Gateway.X.Passphrase =
Endpoint.1.ConnectionType = Endpoint
# Optional
# Endpoint.1.SubnetAddress = 0.0.0.0
# Endpoint.1.SubnetMask = 0.0.0.0
# Endpoint.1.BindTo = 0.0.0.0
# Endpoint.1.SourcePort = 0
# Endpoint.1.Timeout = 90
In this scenario also, all of the gateways will be added to the server.
Firewall
GatewayT2
GatewayRC2
DMZ Network
Firewall
Targets Targets
Unsecure Network 1
Unsecure Network 2
Unsecure Network3
In this scenario there are two well defined networks, a secure network where the
server is installed and the controllers machines are located and an unsecure
network, it could be a web facing network, where servers need to be accessed for
maintenance and problem resolution.
The two networks are linked by a DMZ network where two gateways, each with a
specific purpose, are installed.
Additionally, HTTP proxies are not available in order to enable the targets in the
unsecure network to register in the server in the secure network therefore the
gateways need to establish a tunnel connection to allow this communication.
Gateway T1:
v Create a control connection to Gateway T2 to be used for the tunnel.
v Create connections to the server for tunnel connections.
Gateway.3.ConnectionType = Gateway
Gateway.3.DestinationAddress = gatewayT2_ipaddress
Gateway.3.DestinationPort = 8881
# Optional:
# Gateway.3.BindTo = 0.0.0.0
# Gateway.3.SourcePort = 0
# Gateway.3.RetryDelay = 45
# Gateway.3.KeepAlive = 900
# Gateway.3.Timeout = 90
# Gateway.3.Passphrase =
Since the targets in the unsecure network cannot connect directly to the server, a
tunnel connection must be created that will forward the heartbeats from the targets
to the server:
Outbound.1.ConnectionType = OutboundTunnel
Outbound.1.DestinationAddress = trc_server_ip_address
Outbound.1.DestinationPort = 80
# Optional
# Outbound.1.TunnelID = TRCSERVER
# Outbound.1.Timeout = 90
Where the DestinationAddress and DestinationPort are the IP address and port of
the TRC server.
Gateway T2:
Therefore the configuration file for Gateway T2 will contain the following entries,
regardless of the type of scenario:
v Create connections to Gateways T3x
v Accept control connections from gateway T2.
Gateway.T3x.ConnectionType = Gateway
Gateway.T3x.DestinationAddress = gatewayT3x_ipaddress
Gateway.T3x.DestinationPort = 8881
# Optional:
# Gateway.T3x.BindTo = 0.0.0.0
# Gateway.T3x.SourcePort = 0
# Gateway.T3x.RetryDelay = 45
# Gateway.T3x.KeepAlive = 900
# Gateway.T3x.Timeout = 90
# Gateway.T3x.Passphrase =
Inbound.1.ConnectionType = Inbound
Inbound.1.PortToListen = 8881
# Optional:
# Inbound.1.BindTo = 0.0.0.0
# Inbound.1.RetryDelay = 45
# Inbound.1.Passphrase =
Inbound.1.AllowGateways = true
Inbound.1.AllowEndpoints = false
Gateways T3x:
Inbound.1.ConnectionType = Inbound
Inbound.1.PortToListen = 8881
# Optional:
# Inbound.1.BindTo = 0.0.0.0
# Inbound.1.RetryDelay = 45
# Inbound.1.Passphrase =
Inbound.1.AllowGateways = true
Inbound.1.AllowEndpoints = false
InboundTunnel.1.ConnectionType = InboundTunnel
InboundTunnel.1.PortToListen = 8880
# Optional
# InboundTunnel.1.TunnelID = TRCSERVER
# InboundTunnel.1.BindTo = 0.0.0.0
# InboundTunnel.1.RetryDelay = 45
Since the targets in the unsecure network cannot connect directly to the server, a
tunnel connection must be created that will forward the heartbeats from the targets
to the server.
PortToListen specifies the port that the target should connect to when connecting
to the server via a tunnel. For the targets to use the tunnel, the target configuration
must set the ProxyURL to:
trcGateway.://<gateway address>:8880
Scenario A
Gateway RC2
Inbound.1.ConnectionType = Inbound
Inbound.1.PortToListen = 8881
# Inbound.1.BindTo = 0.0.0.0
# Inbound.1.RetryDelay = 45
# Inbound.1.Passphrase =
Inbound.1.AllowGateways = false
Inbound.1.AllowEndpoints = true
Endpoint.1.ConnectionType = Endpoint
# Optional
# Endpoint.1.SubnetAddress = 0.0.0.0
# Endpoint.1.SubnetMask = 0.0.0.0
# Endpoint.1.BindTo = 0.0.0.0
# Endpoint.1.SourcePort = 0
# Endpoint.1.Timeout = 90
Scenario B
In this scenario, no traffic other than the gateways traffic is allowed outside the
secure network. So we need a new gateway RC1 that will accept the requests from
the controllers and pass them to RC2. Similarly, we need a new gateway RC3x in
each of the unsecure networks to locate the right target.
Gateway RC1:
Inbound.1.ConnectionType = Inbound
Inbound.1.PortToListen = 8881
# Optional:
# Inbound.1.BindTo = 0.0.0.0
# Inbound.1.RetryDelay = 45
# Inbound.1.Passphrase =
Inbound.1.AllowGateways = false
Inbound.1.AllowEndpoints = true
Gateway.RC2.DestinationAddress = gatewayRC2_ipaddress
Gateway.RC2.DestinationPort = 8881
# Optional:
# Gateway.RC2.BindTo = 0.0.0.0
# Gateway.RC2.SourcePort = 0
# Gateway.RC2.RetryDelay = 45
# Gateway.RC2.KeepAlive = 900
# Gateway.RC2.Timeout = 90
# Gateway.RC2.Passphrase =
Gateway RC2
Inbound.1.ConnectionType = Inbound
Inbound.1.PortToListen = 8881
# Optional:
# Inbound.1.BindTo = 0.0.0.0
# Inbound.1.RetryDelay = 45
# Inbound.1.Passphrase =
Inbound.1.AllowGateways = true
Inbound.1.AllowEndpoints = false
A gateway connection must be defined for each RC3 gateway (RC3a, RC3b, RC3c)
where x = a, b or c.
Gateway.RC3x.ConnectionType = Gateway
Gateway.RC3x.DestinationAddress = gatewayT3x_ipaddress
Gateway.RC3x.DestinationPort = 8881
# Optional:
# Gateway.RC3x.BindTo = 0.0.0.0
# Gateway.RC3x.RetryDelay = 45
# Gateway.RC3x.KeepAlive = 900
# Gateway.RC3x.Timeout = 90
# Gateway.RC3x.Passphrase =
Gateway RC3x
These gateways are now required to locate the endpoints that before were directly
accessible to Gateway RC2. The configuration file for the gateways will contain the
following entries:
Inbound.1.ConnectionType = Inbound
Inbound.1.PortToListen = 8881
# Optional:
# Inbound.1.BindTo = 0.0.0.0
# Inbound.1.RetryDelay = 45
# Inbound.1.Passphrase =
Inbound.1.AllowGateways = true
Inbound.1.AllowEndpoints = false
Endpoint.1.ConnectionType = Endpoint
# Optional
# Endpoint.1.SubnetAddress = 0.0.0.0
# Endpoint.1.SubnetMask = 0.0.0.0
# Endpoint.1.BindTo = 0.0.0.0
# Endpoint.1.SourcePort = 0
# Endpoint.1.Timeout = 90
331
332 IBM Endpoint Manager for Remote Control Administrator’s Guide
Notices
This information was developed for products and services that are offered in the
USA.
IBM may not offer the products, services, or features discussed in this document in
other countries. Consult your local IBM representative for information on the
products and services currently available in your area. Any reference to an IBM
product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product,
program, or service that does not infringe any IBM intellectual property right may
be used instead. However, it is the user's responsibility to evaluate and verify the
operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not grant you
any license to these patents. You can send license inquiries, in writing, to:
The following paragraph does not apply to the United Kingdom or any other
country where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS
PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or
implied warranties in certain transactions, therefore, this statement may not apply
to you.
333
websites. The materials at those websites are not part of the materials for this IBM
product and use of those websites is at your own risk.
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged, should contact:
IBM Corporation
2Z4A/101
11400 Burnet Road
Austin, TX 78758 U.S.A.
The licensed program described in this document and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement or any equivalent agreement
between us.
All statements regarding IBM's future direction or intent are subject to change or
withdrawal without notice, and represent goals and objectives only.
All IBM prices shown are IBM's suggested retail prices, are current and are subject
to change without notice. Dealer prices may vary.
This information is for planning purposes only. The information herein is subject to
change before the products described become available.
This information contains examples of data and reports used in daily business
operations. To illustrate them as completely as possible, the examples include the
names of individuals, companies, brands, and products. All of these names are
fictitious and any similarity to the names and addresses used by an actual business
enterprise is entirely coincidental.
COPYRIGHT LICENSE:
Each copy or any portion of these sample programs or any derivative work, must
include a copyright notice as follows:
Portions of this code are derived from IBM Corp. Sample Programs.
© Copyright IBM Corp. _enter the year or years_. All rights reserved.
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of
International Business Machines Corp., registered in many jurisdictions worldwide.
Other product and service names might be trademarks of IBM or other companies.
A current list of IBM trademarks is available on the web at www.ibm.com/legal/
copytrade.shtml.
Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registered
trademarks or trademarks of Adobe Systems Incorporated in the United States,
other countries, or both.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo,
Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or
registered trademarks of Intel Corporation or its subsidiaries in the United States
and other countries.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of
Microsoft Corporation in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other
countries.
Notices 335
Java and all Java-based trademarks and logos are trademarks or registered
trademarks of Oracle and/or its affiliates.
Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are
trademarks of HP, IBM Corp. and Quantum in the U.S. and other countries.
Applicability
These terms and conditions are in addition to any terms of use for the IBM
website.
Personal use
You may reproduce these publications for your personal, noncommercial use
provided that all proprietary notices are preserved. You may not distribute, display
or make derivative work of these publications, or any portion thereof, without the
express consent of IBM.
Commercial use
You may reproduce, distribute and display these publications solely within your
enterprise provided that all proprietary notices are preserved. You may not make
derivative works of these publications, or reproduce, distribute or display these
publications or any portion thereof outside your enterprise, without the express
consent of IBM.
Rights
IBM reserves the right to withdraw the permissions granted herein whenever, in its
discretion, the use of the publications is detrimental to its interest or, as
determined by IBM, the above instructions are not being properly followed.
You may not download, export or re-export this information except in full
compliance with all applicable laws and regulations, including all United States
export laws and regulations.
337
gateways (continued)
examples 158
LDAP (continued)
SSL secure connection 266
P
gateway connections 153 synchronization 261 password
inbound connections 152 user authentication 266 forgotten password 15
keeping track of requests 161 user search 268 password rules
logging activity 162 verify imported groups 272 setting 10
managing gateway logs 162 verifying a connection 263 permission set
tunnel connections 155 LDAP additional settings creating 124
viewing 118 configuring 117 viewing 125
granting requests LDAP configuration utility 111 permission sets 83
anonymous request 87 additional LDAP settings 117 creating 83
denied request 87 LDAP group search parameters 113 deleting 85
outstanding request 87 LDAP user search parameters 114 editing 84
saving your LDAP configuration 118 viewing 84
testing your LDAP connection 112 permissions
creating permission links 65
H using 112
LDAP connection higher priority permissions 64
help normal permissions 64
testing 112
using the documentation 313 permissions derivation 67
LDAP group search parameters
using the web 313 permissions examples 69
configuring 113
homepages summary 81
LDAP properties
editing 107 permissions examples
configuring 111
managing 105 high priority overrides standard 79
using the LDAP configuration
resetting override rules 77
utility 112
groups 108 priority 0 71
LDAP user search parameters
users 107 priority 1 73
configuring 114
setting 105 relationship permissions 75
LDAP wizard 111
groups 106 permissions link
ldap.properties
users 105 creating 65
editing 214
viewing default 107 deleting 67
live access requests
http policies
viewing 93
disabling 3 allow clipboard transfer 47
locking user accounts 12
https allow input lock with visible
log files
enabling 3 screen 47
broker 308
controller 306 allow session handover 47
gateway 307 default values 47
I server 306 determining for a session 63
import templates target 307 disable panic key 47
creating 277 log4j.properties display screen on locked target 47
deleting 280 editing 219 enable on-screen Session
editing 280 logging off 16 notification 47
viewing 280 logging on enable true color 51
importing data 261 forgotten password 15 enable user acceptance for
inbound connections logging on to the server 15 collaboration requests 47
configuring 157, 230 enable user acceptance for local
IPv6 recording 47
hide windows 47
gateway configuration 157 M higher priority values 64
managing targets and target groups 19 keep session recording in the target
managing users and user groups 31 system 47
J migrating to a new certificate 253 lock color depth 58
Joining or Disconnecting a session 260 non binary policies 68
normal permissions values 64
N permissions derivation 67
L not yet registered targets permissions examples 69
LDAP connecting to 257 record session in target 47
configuration file 272 remove desktop background 58
configuring 261 setting 63
target group 22
connection credentials 264
connection security
O stop screen updates when screen
options menu 109 saver is active 47
parameters 265
adding a column to a report 109 summary 81
enabling 271
adding a table to a report 109 user groups 37
errors 271
outstanding access requests policy engine 63
groups
granting 88 properties
importing 269
viewing 93 match.allow.data.changes 142
ldap.security_athentication 265
Overview 1 match.change.notification 141
SASL secure connection 265
match.computername.only 142
Index 339
user acceptance window (continued)
configuring (continued)
Windows 123
icons
uploading 124
peer to peer session 122
user accounts
locking 12
unlocking 17
user authorities
administrator 31
super user 31
user 31
user groups
assigning to groups 38
multiple users 39
one user 38
assigning to user groups 43
assigning users
when creating user 38
creating 37
deleting 41
editing 42
manage group membership 43
managing 40
policies 37
removing members 42
all 43
one 43
searching 45
setting permissions 44
viewing 40
viewing members 41
users
creating 32
managing 33
modifying 34
removing 35
searching for 36
session history 36
set user privileges 33
unlocking accounts 35
user authorities 31
viewing 33
Using strict verification with self signed
certificates 248
V
viewing registered brokers 243
W
windows 7 pre reqs 131
windows 7 remote registry
configuring 131
windows 7 uac features
configuring 132
Windows vista
disabling password protected
sharing 133
Printed in USA