0% found this document useful (0 votes)

19 views555 pages

Fudo System Documentation

Uploaded by

relofet765

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

19 views555 pages

Fudo System Documentation

Uploaded by

relofet765

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 555

Fudo Enterprise 5.

4 - System
Documentation

Fudo Security

March 20, 2024

Contents

1 About documentation 1

2 Layout themes of the Admin Panel 4

3 Introduction 6
3.1 System overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.2 Supported protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.2.1 HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.2.2 Modbus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.2.3 MS SQL (TDS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.2.4 MySQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.2.5 RDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.2.6 SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3.2.7 Telnet 3270 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.2.8 Telnet 5250 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.2.9 Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.2.10 VNC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.2.11 X11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.2.12 TCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.2.13 Secret Checkout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.3 Deployment scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.4 Connection modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3.5 User authentication methods and modes . . . . . . . . . . . . . . . . . . . . . . . 24
3.6 Security measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
3.6.1 Data encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
3.6.2 Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
3.6.3 Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
3.6.4 Sandboxing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
3.6.5 Reliability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
3.6.6 Cluster configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
3.7 Data model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
3.8 Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
3.8.1 Widgets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.8.2 Adding, customizing and removind dashlets . . . . . . . . . . . . . . . . 31
3.8.3 Hard drives status information . . . . . . . . . . . . . . . . . . . . . . . . 32
3.9 User Portal (Access Gateway) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

i
3.10 Third-Party Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

4 System deployment 34
4.1 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
4.2 Hardware overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
4.3 System initiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
4.3.1 Virtual machine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

5 Quick start 50
5.1 SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
5.1.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
5.1.2 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
5.1.3 Establishing connection . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
5.1.4 Viewing user session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
5.2 SSH in bastion mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
5.2.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
5.2.2 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
5.2.3 Establishing connection . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
5.2.4 Viewing user session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
5.3 RDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
5.3.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
5.3.2 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
5.3.3 Establishing an RDP connection with a remote host . . . . . . . . . . . 69
5.3.4 Viewing user session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
5.4 RDP in bastion mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
5.4.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
5.4.2 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
5.4.3 Establishing an RDP connection with a remote host . . . . . . . . . . . 77
5.4.4 Viewing user session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
5.5 Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
5.5.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
5.5.2 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
5.5.3 Establishing a telnet connection with the remote host . . . . . . . . . . . 86
5.5.4 Viewing user’s session . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
5.6 Telnet 5250 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
5.6.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
5.6.2 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
5.6.3 Establishing a telnet connection with the remote host . . . . . . . . . . . 93
5.6.4 Viewing user’s session . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
5.7 MySQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
5.7.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
5.7.2 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
5.7.3 Establishing connection with a MySQL database . . . . . . . . . . . . . 100
5.7.4 Viewing user session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
5.8 MS SQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
5.8.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
5.8.2 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
5.8.3 Establishing connection with a MS SQL database . . . . . . . . . . . . . 108
5.8.4 Viewing user session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
5.9 HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
5.9.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
5.9.2 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

ii
5.9.3 Connecting to remote resource . . . . . . . . . . . . . . . . . . . . . . . . 116
5.9.4 Viewing user session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
5.10 VNC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
5.10.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
5.10.2 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
5.10.3 Establishing connection . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
5.10.4 Viewing user session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
5.11 User authentication against external LDAP server . . . . . . . . . . . . . . . . . 124
5.11.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
5.11.2 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

6 Users 127
6.1 Creating a user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
6.2 Copying user grants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
6.3 Editing a user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
6.4 Blocking a user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
6.5 Unblocking a user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
6.6 Deleting a user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
6.7 Authentication failures counter . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
6.8 Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
6.9 Users synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

7 Servers 149
7.1 Creating a server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
7.1.1 Creating an HTTP server . . . . . . . . . . . . . . . . . . . . . . . . . . 149
7.1.2 Creating a Modbus server . . . . . . . . . . . . . . . . . . . . . . . . . . 152
7.1.3 Creating a MS SQL server . . . . . . . . . . . . . . . . . . . . . . . . . . 153
7.1.4 Creating a MySQL server . . . . . . . . . . . . . . . . . . . . . . . . . . 155
7.1.5 Creating an RDP server . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
7.1.6 Creating an SSH server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
7.1.7 Creating a Telnet server . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
7.1.8 Creating a Telnet 3270 server . . . . . . . . . . . . . . . . . . . . . . . . 163
7.1.9 Creating a Telnet 5250 server . . . . . . . . . . . . . . . . . . . . . . . . 165
7.1.10 Creating a VNC server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
7.1.11 Creating a TCP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
7.2 Importing a server list from CSV file . . . . . . . . . . . . . . . . . . . . . . . . . 170
7.3 Editing a server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
7.4 Blocking a server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
7.5 Unblocking a server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
7.6 Deleting a server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

8 Pools 176
8.1 Creating a pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
8.2 Deleting a pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

9 Remote applications 179

9.1 Adding remote application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
9.2 Connecting to remote application via Access Gateway . . . . . . . . . . . . . . . 180
9.3 Deleting remote application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

10 Accounts 182
10.1 Creating an account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

iii
10.1.1 Creating an anonymous account . . . . . . . . . . . . . . . . . . . . . . . 183
10.1.2 Creating a forward account . . . . . . . . . . . . . . . . . . . . . . . . . 185
10.1.3 Creating a regular account . . . . . . . . . . . . . . . . . . . . . . . . . . 189
10.2 Editing an account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
10.3 Blocking an account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
10.4 Unblocking an account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
10.5 Deleting an account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
10.6 Managing security alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
10.6.1 Triggering password change . . . . . . . . . . . . . . . . . . . . . . . . . 199
10.6.2 Ignoring security alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

11 Listeners 202
11.1 Creating a listener . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
11.1.1 Setting up the SSH listener . . . . . . . . . . . . . . . . . . . . . . . . . 204
11.1.2 Setting up the RDP listener . . . . . . . . . . . . . . . . . . . . . . . . . 207
11.1.3 Setting up the VNC listener . . . . . . . . . . . . . . . . . . . . . . . . . 211
11.1.4 Setting up the HTTP listener . . . . . . . . . . . . . . . . . . . . . . . . 213
11.1.5 Setting up the Modbus listener . . . . . . . . . . . . . . . . . . . . . . . 217
11.1.6 Setting up the MySQL listener . . . . . . . . . . . . . . . . . . . . . . . 218
11.1.7 Setting up the TCP listener . . . . . . . . . . . . . . . . . . . . . . . . . 220
11.1.8 Setting up the MS SQL listener . . . . . . . . . . . . . . . . . . . . . . . 223
11.1.9 Setting up the Telnet listener . . . . . . . . . . . . . . . . . . . . . . . . 225
11.1.10 Setting up the Telnet 3270 listener . . . . . . . . . . . . . . . . . . . . . 227
11.1.11 Setting up the Telnet 5250 listener . . . . . . . . . . . . . . . . . . . . . 229
11.2 Editing a listener . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
11.3 Blocking a listener . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
11.4 Unblocking a listener . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
11.5 Deleting a listener . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

12 Safes 235
12.1 Creating a safe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
12.2 Editing a safe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
12.3 Blocking a safe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
12.4 Unblocking a safe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
12.5 Deleting a safe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

13 Discovery 244
13.1 Creating a rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
13.1.1 Creating a rule for accounts . . . . . . . . . . . . . . . . . . . . . . . . . 245
13.1.2 Creating a rule for servers . . . . . . . . . . . . . . . . . . . . . . . . . . 247
13.2 Managing rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
13.3 Creating a scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
13.3.1 Creating a scanner for Domain Controller Accounts . . . . . . . . . . . . 248
13.3.2 Creating a scanner for Domain Controller Servers . . . . . . . . . . . . . 251
13.3.3 Creating a scanner for local accounts . . . . . . . . . . . . . . . . . . . . 252
13.4 Managing scanners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
13.5 Managing discovered accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
13.6 Managing discovered servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

14 Password changers 257

14.1 Password changer policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
14.1.1 Defining a password changer policy . . . . . . . . . . . . . . . . . . . . . 258

iv
14.1.2 Editing a password changer policy . . . . . . . . . . . . . . . . . . . . . . 259
14.1.3 Deleting a password changer policy . . . . . . . . . . . . . . . . . . . . . 259
14.2 Custom password changers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
14.2.1 Defining a custom password changer . . . . . . . . . . . . . . . . . . . . 259
14.2.2 Editing a custom password changer . . . . . . . . . . . . . . . . . . . . . 263
14.2.3 Deleting a custom password changer . . . . . . . . . . . . . . . . . . . . 263
14.3 Connection modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
14.3.1 SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
14.3.2 LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
14.3.3 Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
14.3.4 WinRM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
14.4 Setting up password changing on a Unix system . . . . . . . . . . . . . . . . . . 267

15 Policies 269
15.1 AI module-based policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
15.2 Regular expression-based policy . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

16 Downloads 277
16.1 Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
16.2 Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277

17 Account activity in the Access Gateway 279

18 Access requests 283

18.1 Awaiting requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
18.2 Active requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
18.3 Archived requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286

19 Sessions 288
19.1 Filtering sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
19.1.1 Defining filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
19.1.2 Managing user defined filter definitions . . . . . . . . . . . . . . . . . . . 291
19.1.3 Full text search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
19.2 Viewing sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
19.3 Pausing connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
19.4 Terminating connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
19.5 Joining live session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
19.6 Sharing sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
19.7 Commenting sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
19.8 Sessions’ retention lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
19.9 Exporting sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
19.10 Deleting sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
19.11 OCR processing sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
19.12 Session data replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
19.13 Timestamping selected sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
19.14 Cancelling sessions timestamping . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
19.15 Approving pending user requests . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
19.15.1 Fudo management interface . . . . . . . . . . . . . . . . . . . . . . . . . 312
19.16 Declining pending requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
19.16.1 Fudo administration interface . . . . . . . . . . . . . . . . . . . . . . . . 313
19.17 AI sessions processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
19.17.1 Content models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314

v
19.17.2 Session scoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
19.17.3 Quantitive models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317

20 Reports 318

21 Productivity 322
21.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
21.2 Sessions analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
21.3 Activity comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324

22 Administration 326
22.1 System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
22.1.1 Date and time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
22.1.2 SSL certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
22.1.3 Deny new connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
22.1.4 SSH access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
22.1.5 Sensitive features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
22.1.6 System update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
22.1.6.1 Updating system . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
22.1.6.2 Restoring previous system version . . . . . . . . . . . . . . . . . 333
22.1.6.3 Deleting upgrade snapshot . . . . . . . . . . . . . . . . . . . . . 334
22.1.7 License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
22.1.8 Hotfix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
22.1.9 Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
22.1.10 Configuration encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
22.1.11 Default domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
22.1.12 Password complexity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
22.1.13 Single Sign On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
22.1.13.1 Setting up Fudo Enterprise for SSO . . . . . . . . . . . . . . . . 342
22.1.13.2 Single Sign On in Admin Panel . . . . . . . . . . . . . . . . . . . 342
22.1.13.3 Single Sign On in User Portal . . . . . . . . . . . . . . . . . . . . 343
22.1.13.4 Setting up domain controller . . . . . . . . . . . . . . . . . . . . 344
22.1.13.5 Setting up user workstations . . . . . . . . . . . . . . . . . . . . 344
22.1.14 Password changers - active cluster node . . . . . . . . . . . . . . . . . . . 344
22.1.14.1 Cluster Password Changers . . . . . . . . . . . . . . . . . . . . . 345
22.2 Network settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
22.2.1 Network interfaces configuration . . . . . . . . . . . . . . . . . . . . . . . 346
22.2.1.1 Managing physical interfaces . . . . . . . . . . . . . . . . . . . . 346
22.2.1.2 Defining IP address using system console . . . . . . . . . . . . . 349
22.2.1.3 Setting up a network bridge . . . . . . . . . . . . . . . . . . . . . 352
22.2.1.4 Setting up virtual networks (VLANs) . . . . . . . . . . . . . . . 353
22.2.1.5 Setting up LACP link aggregation . . . . . . . . . . . . . . . . . 354
22.2.2 Labeled IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
22.2.3 Routing configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
22.2.4 DNS configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
22.2.5 ARP table configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
22.3 Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
22.4 Artificial Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
22.4.1 Configuring models trainers . . . . . . . . . . . . . . . . . . . . . . . . . 362
22.4.2 Behavioral analysis models . . . . . . . . . . . . . . . . . . . . . . . . . . 364
22.5 Trusted time-stamping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
22.6 Certificate-based authentication scheme . . . . . . . . . . . . . . . . . . . . . . . 367

vi
22.7 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
22.7.1 External authentication server definition . . . . . . . . . . . . . . . . . . 369
22.7.2 OATH authentication definition . . . . . . . . . . . . . . . . . . . . . . . 371
22.7.3 SMS authentication definition . . . . . . . . . . . . . . . . . . . . . . . . 371
22.7.4 DUO authentication definition . . . . . . . . . . . . . . . . . . . . . . . . 373
22.7.5 OpenID Connect authentication definition . . . . . . . . . . . . . . . . . 374
22.8 External passwords repositories . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
22.8.1 CyberArk Enterprise Password Vault . . . . . . . . . . . . . . . . . . . . 376
22.8.2 CyberArk Credential Provider . . . . . . . . . . . . . . . . . . . . . . . . 378
22.8.3 Thycotic Secret Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
22.8.4 Local Administrator Password Solutions (LAPS) . . . . . . . . . . . . . 381
22.9 Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
22.9.1 RDP/VNC login screen configuration . . . . . . . . . . . . . . . . . . . . 383
22.9.2 User portal login screen configuration . . . . . . . . . . . . . . . . . . . . 386
22.10 System version restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
22.11 System restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
22.12 SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
22.12.1 Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
22.12.2 Configuring SNMPv3 TRAP . . . . . . . . . . . . . . . . . . . . . . . . . 391
22.12.3 SNMP MIBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
22.12.4 Getting SNMP readings using snmpwalk . . . . . . . . . . . . . . . . . . 392
22.12.5 Fudo Enterprise specific SNMP extensions . . . . . . . . . . . . . . . . . 393
22.13 Backup and retention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
22.13.1 System backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
22.13.2 Data retention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
22.14 External storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
22.14.1 Configuring external storage . . . . . . . . . . . . . . . . . . . . . . . . . 398
22.14.2 Expanding external storage device . . . . . . . . . . . . . . . . . . . . . 399
22.15 Exporting/importing system configuration . . . . . . . . . . . . . . . . . . . . . 399
22.15.1 Exporting system configuration . . . . . . . . . . . . . . . . . . . . . . . 399
22.15.2 Importing system configuration . . . . . . . . . . . . . . . . . . . . . . . 400
22.16 Cluster configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
22.16.1 Initiating cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
22.16.2 Adding cluster nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
22.16.3 Editing cluster nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
22.16.4 Deleting cluster nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
22.16.5 Redundancy groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
22.17 Events log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
22.17.1 External syslog servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
22.17.2 Exporting events log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
22.18 Changing encryption passphrase . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
22.19 Integration with CERB server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
22.20 System maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
22.20.1 Backing up encryption keys . . . . . . . . . . . . . . . . . . . . . . . . . 422
22.20.2 Monitoring system condition . . . . . . . . . . . . . . . . . . . . . . . . . 426
22.20.3 Health Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
22.20.3.1 API Health Check . . . . . . . . . . . . . . . . . . . . . . . . . . 428
22.20.4 Call Home . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
22.20.5 Hard drive replacement . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
22.20.6 Resetting configuration to default settings . . . . . . . . . . . . . . . . . 430

vii
23 Reference information 434
23.1 RDP connections broker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
23.2 Log messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
23.3 Footer Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448

24 Fudo Officer 1.0 450

24.1 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
24.2 Managing session requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
24.3 Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454

25 AAPM (Application to Application Password Manager) 457

25.1 Compiling fudopv tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
25.1.1 Python . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
25.1.2 Virtual environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
25.1.3 Fetching dependencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
25.1.4 Package creation script . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
25.2 Deploying fudopv without compiling source files . . . . . . . . . . . . . . . . . . 460
25.3 Using fudopv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460
25.4 Authentication methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
25.4.1 Static password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466

26 Ticketing systems 467

27 Client applications 468

27.1 PuTTY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
27.2 Microsoft Remote Desktop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470
27.3 TightVNC Viewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
27.4 SQL Server Management Studio . . . . . . . . . . . . . . . . . . . . . . . . . . . 473

28 Troubleshooting 475
28.1 Booting up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
28.2 Connecting to servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476
28.3 Logging to administration panel . . . . . . . . . . . . . . . . . . . . . . . . . . . 480
28.4 Session playback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481
28.5 Cluster configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481
28.6 Trusted timestamping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482
28.7 Support mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482

29 Use Cases 486

29.1 Two-factor OATH authentication with Google Authenticator . . . . . . . . . . . 486
29.1.1 Protocols Supporting OATH Authentication Method . . . . . . . . . . . 486
29.1.2 Configuring the OATH Authentication Method . . . . . . . . . . . . . . 487
29.2 OpenID Connect authentication definition with Azure . . . . . . . . . . . . . . . 492
29.3 Remote Desktop Services configuration on Windows Server for Fudo Enterprise . 499
29.3.1 Setup Remote Desktop Services (RDS) . . . . . . . . . . . . . . . . . . . 500
29.3.2 Setup Fudo Enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511
29.4 Managing RPD Server certificates in Windows Server . . . . . . . . . . . . . . . 517
29.4.1 Locating the Server Certificate in Windows Server . . . . . . . . . . . . . 517
29.4.2 Providing the CA Certificate . . . . . . . . . . . . . . . . . . . . . . . . . 520

30 Frequently asked questions 536

31 Glossary 540

viii
Index 543

ix
CHAPTER 1

About documentation

The target audience of this document are system administrators and operators, responsible for
managing Fudo Enterprise’s configuration and supervising remote access.
Documentation Structure
1. About documentation
This chapter provides information about the documentation.
2. Layout themes of the Admin Panel
This chapter provides information on how to change layout themes for the Fudo Enterprise’s
Admin Panel.
3. Introduction
This chapter provides information on Fudo Enterprise modules, describes data model, covers
deployment scenarios as well as connections modes and user authentication methods.
4. System deployment
This chapter covers system deployment procedure along with the system initiation.
5. Quick start
This chapter contains typical configuration examples.
6. Users
This chapter covers users management topics.
7. Servers
This chapter covers servers management topics.
8. Pools
This chapter covers pools management topics.
9. Remote applications

1
Fudo Enterprise 5.4 - System Documentation

This chapter covers remote applications management topics.

10. Accounts
This chapter covers accounts management topics.
11. Listeners
This chapter covers listeners management topics.
12. Safes
This chapter covers safes management topics.
13. Discovery
This chapter covers the Discovery functionality and management topics.
14. Password changers
This chapter contains information on automated password changing feature.
15. Policies
This chapter contains information on Fudo’s proactive monitoring features.
16. Account activity in the Access Gateway
This chapter covers the functionality of Resource in use option.
17. Access requests
This chapter covers the functionality of granting access to the resources via the request.
18. Sessions
This chapter contains information on stored access sessions.
19. Reports
This chapter contains topics related to generating reports.
20. Productivity
This chapter describes Fudo Enterprise’s Productivity Analyzer module.
21. Administration
This chapter contains administration procedures.
22. Reference information
This chapter contains reference information which supplement Fudo Enterprise administration
topics.
23. Fudo Officer 1.0
This chapter describes the Fudo Officer 1.0 application functionality.
24. AAPM (Application to Application Password Manager)
This chapter contains information on password management in third party applications.
25. Ticketing systems
This chapter covers integration with Service Now ticketing system.
26. Client applications

2
Fudo Enterprise 5.4 - System Documentation

This chapter contains client applications configuration instructions for selected protocols.
27. Troubleshooting
This chapter contains solutions for potential problems which may occur when using Fudo En-
terprise.
28. Frequently asked questions
This chapter contains frequently requested information about Fudo Enterprise.
29. Glossary
This chapter contains list of terms used throughout this documentation.
Conventions and symbols
This documentation is written using the following conventions:
• italic - this formatting is used to mark user interface elements.
• example - this formatting is used to write example value of a parameter, API
method name or code example.
• Note field:

Note: Note field usually contains additional information closely related with de-
scribed topic, e.g. suggestion concerning given procedure step; additional conditions
which have to be met.

• Warning field:

Warning: Warning field usually contains essential information concerning sys-

tem’s operation. Not adhering to this information may have irreversible conse-
quences.

Disclaimer
All trademarks, product names, and company names or logos cited in this document are the
property of their respective owners and are used for information purpose only.

3
CHAPTER 2

Layout themes of the Admin Panel

There are three layout themes available to choose for the Admin Panel. Click the icon in the
lower right corner of the screen to access the list of variants.
Light theme:

Dark theme:

4
Fudo Enterprise 5.4 - System Documentation

Terminal theme:

3.1 System overview

Fudo Enterprise is a complete solution for managing remote privileged access. Fudo Enterprise
comprises four modules each dedicated to different aspects of remote access management:
• Privilege Session Monitoring (PSM)
• Secret Manager
• Productivity Analyzer
• Application to Application Password Manager (AAPM)
PSM
PSM module enables facilitating constant monitoring of remote access sessions to IT infrastruc-
ture. Fudo Enterprise acts as a proxy between users and monitored servers and it registers users’
actions, including mouse pointer moves, keystrokes and transferred files.

The PSM module records complete network traffic along with meta data, enabling precise session
playback and full-text content search.
Fudo Enterprise enables viewing current connections and intervening in a monitored session in
case the administrator notices a potential misuse of access rights.
The PSM module supports following system configurations:
• Linux,
• FreeBSD,
• Mac OS X

6
Fudo Enterprise 5.4 - System Documentation

• Microsoft Windows Server,

• Microsoft Windows,
• TightVNC,
• Solaris.
Secret manager
Fudo Enterprise can be also set up to automatically manage login credentials on monitored
servers and periodically change passwords at specified time intervals (e.g. 1 hour).
Secret manager module supports password changing on following systems:
• Unix
• MySQL
• Cisco
• Cisco Enable Password
• MS Windows
It also enables configuring a custom password changer as a set of commands executed on remote
a host.
For more information on the Secret Manager module, refer to the Password changers topic.
Productivity Analyzer
Productivity Analyzer module tracks users’ actions and provides precise information on their
activity and idle times.
For more information on the Productivity Analyzer module, refer to the Productivity topic.
Application to Application Password Manager (AAPM)
AAPM module enables secure passwords exchange between applications.
AAPM supported operating systems:
• Microsoft Windows operating systems,
• Linux family operating systems,
• BSD family operating systems.
For more information on the AAPM module, refer to the AAPM (Application to Application
Password Manager) topic.
Related topics:
• Requirements
• Data model
• Security measures

3.1. System overview 7

Fudo Enterprise 5.4 - System Documentation

3.2 Supported protocols

3.2.1 HTTP

Supported connection modes:

• Bastion,
• Gateway,
• Proxy,
• Transparent.
Supported OCR languages for the rendered HTTP session:
• English
• German
• Norwegian
• Ukrainian
• Polish
• Hungarian
• Russian
Supported algorithms when TLS encryption selected and the option Legacy ciphers disabled:
• ecdhe-ecdsa-aes256-gcm-sha384
• ecdhe-rsa-aes256-gcm-sha384
• ecdhe-ecdsa-chacha20-poly1305
• ecdhe-rsa-chacha20-poly1305
• ecdhe-ecdsa-aes256-sha384
• dhe-rsa-aes256-gcm-sha384
Notes:

Warning: HTTP rendering is a CPU intensive process and may have negative impact on
system’s performance. A physical appliance is recommended for monitoring rendered HTTP
connections with the following limitations regarding the maximum number of concurrent
rendered HTTP sessions.

Model Maximum recommended number of concurrent HTTP sessions*

F100x 2
F300x 5
F500x 10

* The actual value depends on the Fudo Enterprise instance configuration.

• Session joining is not supported.

3.2. Supported protocols 8

Fudo Enterprise 5.4 - System Documentation

• Login reason option is not supported.

Additionally, in the non-rendered mode:
• Bastion mode is not supported due to limitations of the protocol.
• Access to external resources is not monitored.
• Following redirections is not supported.
• Credentials forwarding is not supported.
Additionally, in the rendered mode:
• Raw HTTP data is not stored.
• A list of fonts available in Fudo Enterprise for the rendered HTTP sessions.

3.2.2 Modbus

Supported connection modes:

• Gateway,
• Proxy,
• Transparent.
Notes:
• Session joining is not supported.
• Bastion mode is not supported due to limitations of the protocol.

3.2.3 MS SQL (TDS)

Due to the fact that MS SQL Studio may create multiple connections for sending internal queries,
the sessions, connected via the TDS layer protocol using MS SQL Studio are getting aggregated
by Fudo Enterprise.
Fudo Enterprise follows an algorithm that verifies if there is an already connected session on a
current node. If the algorithm identifies that the main connection objects (listener, account,
server address (server), user, and safe) of the new session are correlating with already
existing session, both sessions are aggregated into one.
If the main connection objects of the new session are not correlating with any of already existing
sessions, a new session is created.
This makes multiple queries to be grouped within one session. Every query has a unique tag
that allows filtering important connections with users’ queries in the Fudo Enterprise player.
Supported connection modes:
• Bastion,
• Gateway,

3.2. Supported protocols 9

Fudo Enterprise 5.4 - System Documentation

• Proxy,
• Transparent.
Supported client applications:
• SQL Server Management Studio,
• sqsh.
Notes:
• Session joining is not supported.

3.2.4 MySQL

Supported connection modes:

• Gateway,
• Proxy,
• Transparent.
Supported client applications:
• Official MySQL client,
• PyMySQL libraries for Python.
Notes:
• Session joining is not supported.
• Bastion mode is not supported due to limitations of the protocol.
• Active Directory and other external authentication sources are not supported.

3.2.5 RDP

Supported connection modes:

• Bastion,
• Gateway,
• Proxy,
• Transparent.
Supported client applications:
• All official Microsoft clients for Windows and macOS,
• FreeRDP 2.0 and newer.
Supported OCR languages:
• English
• German
• Norwegian

3.2. Supported protocols 10

Fudo Enterprise 5.4 - System Documentation

• Ukrainian
• Polish
• Hungarian
• Russian
Supported algorithms
• when TLS encryption selected and the option Legacy ciphers is disabled:
– TLS_AES_256_GCM_SHA384
– TLS_CHACHA20_POLY1305_SHA256
– TLS_AES_128_GCM_SHA256
– ECDHE-ECDSA-CHACHA20-POLY1305
– ECDHE-RSA-CHACHA20-POLY1305
– ECDHE-ECDSA-AES256-GCM-SHA384
– ECDHE-RSA-AES256-GCM-SHA384
– ECDHE-ECDSA-AES256-SHA384
– ECDHE-RSA-AES256-SHA384
– DHE-RSA-AES256-GCM-SHA384
– AES256-GCM-SHA384
– AES128-GCM-SHA256
– AES128-SHA256
• when TLS encryption selected and the option Legacy ciphers is enabled:
– TLS_AES_256_GCM_SHA384
– TLS_CHACHA20_POLY1305_SHA256
– TLS_AES_128_GCM_SHA256
– ECDHE-ECDSA-AES256-GCM-SHA384
– ECDHE-RSA-AES256-GCM-SHA384
– DHE-RSA-AES256-GCM-SHA384
– ECDHE-ECDSA-CHACHA20-POLY1305
– ECDHE-RSA-CHACHA20-POLY1305
– DHE-RSA-CHACHA20-POLY1305
– ECDHE-ECDSA-AES128-GCM-SHA256
– ECDHE-RSA-AES128-GCM-SHA256
– DHE-RSA-AES128-GCM-SHA256
– ECDHE-ECDSA-AES256-SHA384
– ECDHE-RSA-AES256-SHA384

3.2. Supported protocols 11

Fudo Enterprise 5.4 - System Documentation

– DHE-RSA-AES256-SHA256
– ECDHE-ECDSA-AES128-SHA256
– ECDHE-RSA-AES128-SHA256
– DHE-RSA-AES128-SHA256
– ECDHE-ECDSA-AES256-SHA
– ECDHE-RSA-AES256-SHA
– DHE-RSA-AES256-SHA
– ECDHE-ECDSA-AES128-SHA
– ECDHE-RSA-AES128-SHA
– DHE-RSA-AES128-SHA
– AES256-GCM-SHA384
– AES128-GCM-SHA256
– AES256-SHA256
– AES128-SHA256
– AES256-SHA
– AES128-SHA
Notes:
• RDP protocol implementation supports user authentication over RADIUS in challenge-
response mode.
• For RDP servers are supported NLA mode and TLS mode.
• For RDP listeners, besides the standard security level, the Enhanced RDP Security with
TLS option is supported.
• In case the NLA option enabled, Fudo Enterprise requires NTLM protocol version 2 or
newer. To properly handle NLA authentication connections, enable option to only send
NTLMv2 response both on client and server side.
1. Click Start > All Programs > Accessories > Run.
2. Type secpol.msc in the Open input field and click OK.
3. Select Local Policies > Security Options and double-click Network Security: LAN
Manager authentication level.
4. Select Send NTLMv2 response only. Refuse LM & NTLM from the drop-down list.
5. Click Apply.
• Fudo Enterprise verifies input language settings when negotiation connection and does not
support dynamic language change on the login screen.
RemoteApp
Fudo natively supports RemoteApp connections over RDP protocol. Application windows are
recorded the same way as RDP connections, enforcing all Fudo Enterprise security restrictions.

3.2. Supported protocols 12

Fudo Enterprise 5.4 - System Documentation

To monitor RemoteApp sessions, the connection must be launched through a *.rdp configuration
file with the Fudo Enterprise IP address and the port number defined.
Connections initiated over Remote Desktop Web Access can be monitored by Fudo only in
Transparent/Gateway mode as the Remote Desktop Web Access can not provide Fudo IP address
instead of original destination server.

3.2.6 SSH

Supported connection modes:

• Bastion,
• Gateway,
• Proxy,
• Transparent.
Supported features:
• Connections multiplexing (video export, session termination, pause, join, playback, raw
data),
• SCP (raw data, session termination, extracting separate files),
• SFTP,
• 2FA,
• Port redirection (video export, session termination, pause, session join, playback, raw
data),
• SSH Agent forwarding (transparent, not recorded),
• X11 - within SSH protocol (video export, session termination, pause, session join, playback,
raw data),
• Shell (video export, session termination, pause, session join, playback, raw data),
• Terminal (video export, session termination, pause, session join, playback, raw data).
Supported encryption algorithms:
• Server: RSA, DSA
• Listener: RSA, DSA
Supported hashing algorithms:
• MD5
• SHA256
Supported types of SSH keys:
• RSA
• ED25519, ED25519-SK
• ECDSA, ECDSA-SK
• DSA (with the Legacy ciphers option enabled)

3.2. Supported protocols 13

Fudo Enterprise 5.4 - System Documentation

Supported encoding: UTF-8

Supported ciphers:
• Supported key exchange algorithms:
– curve25519-sha256
– [email protected]
– ecdh-sha2-nistp256
– ecdh-sha2-nistp384
– ecdh-sha2-nistp521
– diffie-hellman-group-exchange-sha256
– diffie-hellman-group16-sha512
– diffie-hellman-group18-sha512
– diffie-hellman-group14-sha256
• additionally, there are 3 more key exchange algorithms supported when the Legacy ciphers
option is enabled:
– diffie-hellman-group14-sha1
– diffie-hellman-group1-sha1
– diffie-hellman-group-exchange-sha1
• Supported host key algorithms:
– [email protected]
– [email protected]
– [email protected]
– [email protected]
– [email protected]
– [email protected]
– [email protected]
– ecdsa-sha2-nistp256
– ecdsa-sha2-nistp384
– ecdsa-sha2-nistp521
– ssh-ed25519
– rsa-sha2-512
– rsa-sha2-256
– ssh-rsa
• plus, there are 2 more host key algorithms supported when the Legacy ciphers option is
enabled:
– ssh-dss

3.2. Supported protocols 14

Fudo Enterprise 5.4 - System Documentation

– [email protected]
• Supported encryption algorithms:
– [email protected]
– aes128-ctr
– aes192-ctr
– aes256-ctr
– [email protected]
– [email protected]
• additionally, there are 10 more encryption algorithms supported when the Legacy ciphers
option is enabled:
– aes128-cbc
– aes192-cbc
– aes256-cbc
– [email protected]
– 3des-cbc
– arcfour256
– arcfour128
– arcfour
– blowfish-cbc
– cast128-cbc
• Supported MAC algorithms:
– [email protected]
– [email protected]
– [email protected]
– [email protected]
– [email protected]
– [email protected]
– hmac-sha2-256
– hmac-sha2-512
• plus, there are 11 more MAC algorithms supported when the Legacy ciphers option is
enabled:
– hmac-sha1
– [email protected]
– [email protected]
– hmac-sha1-96

3.2. Supported protocols 15

Fudo Enterprise 5.4 - System Documentation

– hmac-ripemd160
– [email protected]
– [email protected]
– hmac-md5
– hmac-md5-96
– [email protected]
– [email protected]
Notes:
• SSH protocol implementation supports user authentication over RADIUS in challenge-
response mode.

3.2.7 Telnet 3270

Supported connection modes:

• Bastion,
• Gateway,
• Proxy,
• Transparent.
Supported client applications:
• IBM Personal Communications,
• c3270.
Notes:
• Session joining is not supported.
• User must authenticate twice - first against Fudo and then against the target host.

Note: The FreeBSD terminal version of telnet(1) client (in comparison to those available
on Linux distributions, like Debian) automatically passes the user login name to the destination
server during the authentication process. This is due to the -a parameter, which is enabled by
default and is responsible for passing the login name so that the user doesn’t have to input it
while loggin in. In order to disable automatic passing of the login name, use -K parameter or
-l parameter with empty login.
It’s recommended to pay attention to the default settings of your Telnet client.

3.2. Supported protocols 16

Fudo Enterprise 5.4 - System Documentation

3.2.8 Telnet 5250

Supported connection modes:

• Bastion,
• Gateway,
• Proxy,
• Transparent.
Supported client applications:
• IBM Personal Communications,
• tn5250.
Notes:
• Session joining is not supported.
• User must authenticate twice - first against Fudo and then against the target host.

3.2.9 Telnet

Supported connection modes:

• Bastion,
• Gateway,
• Proxy,
• Transparent.
Notes:
• User must authenticate twice - first against Fudo and then against the target host.

3.2. Supported protocols 17

Fudo Enterprise 5.4 - System Documentation

3.2.10 VNC

Supported connection modes:

• Bastion,
• Gateway,
• Proxy,
• Transparent.
Supported client applications:
• TightVNC,
• RealVNC.
Supported OCR languages:
• English
• German
• Norwegian
• Ukrainian
• Polish
• Hungarian
• Russian
Notes:
• VNC protocol implementation supports user authentication over RADIUS in challenge-
response mode.
Connection specifics - VNC server requires authentication
• Anonymous type account: requires entering VNC server password (login string is ignored).
• Regular type account: requires user login and password (authentication against Fudo);
login substitution string defined in the account is ignored upon establishing connection.
• Forward type account: requires that users inputs password defined on the VNC server
(login string is ignored).
Connection specifics - server does not require authentication
• Anonymous type account: does not require any login information input (hit the enter key
on the logon screen).
• Regular type account: requires user login and password information (authentication
against Fudo); password substitution string can be left empty as it is not forwarded to the
target host.
• Forward type account: requires user login and password (authentication against Fudo).

3.2. Supported protocols 18

Fudo Enterprise 5.4 - System Documentation

3.2.11 X11

X11 protocol is supported within the SSH protocol.

Note: Session joining feature is not supported in X11 protocol connections.

Supported servers:
• Xorg,
• Xming,
• XQuartz.
Supported fonts:
For a list of fonts available for the applications that use core X11 protocol to draw text, check
the list of fonts available in Fudo Enterprise.

3.2.12 TCP

TCP is a generic protocol used for monitoring non-encrypted connections.

Supported connection modes:
• Gateway,
• Proxy,
• Transparent.
Notes:
• Session joining is not supported.
• Session player displays raw text without graphical rendering.
• SSL encryption is not supported.

3.2.13 Secret Checkout

Secret Checkout is a virtual protocol for establishing an access session to the account secret.
Checkout function allows user to temporarily take a secret from a secret vault. Then, the user
informs Fudo that the secret is no longer needed by returning it to the secret vault with a
Checkin operation.

Note: The protocol is virtual in a sense that there is no TCP/IP session related to it, only
meta information is stored (for example checkout time, checkin time, who accessed the secret).
As there is no TCP/IP, no data that can be played are saved. This makes checkout sessions
lightweight compared to sessions recorded with data, such as RDP.

3.2. Supported protocols 19

Fudo Enterprise 5.4 - System Documentation

In case of a breach, having secret checkouts recorded as sessions, allows one to pinpoint who had
access to the leaked secret.

A request for a secret checkout is sent by a user via the User Portal. The request can be approved
or declined by an administrator if a given safe is set to require approval. The user can see and
copy the password anytime during the session, which counts active till the password is returned
or the password’s valid time is over.
The secret can be returned automatically after the given period of time or returned manually
by the user via the User Portal. More on how to configure a timeout for automatic return of the
password is at Creating a safe page under Users tab section and at Creating an account with
regular type page under Credentials section.
When a checkout timeout is configured for an account with an ongoing checkout session, the
other user can checkout the secret, too . In this situation the user has to confirm the operation
by forcing checkout. This way the user can use soft exclusiveness of the checkout operation.
After return, the secret can be automatically changed to a new one, generated in accordance
with the specified Password Change Policy for a particular account.
Notes:
• Session joining feature is not supported.
• Playback is not supported.

3.3 Deployment scenarios

Note: It is advised to deploy the Fudo Enterprise within the IT infrastructure, so it only
mediates administrative connections. It will allow for lowering system load, network traffic
optimization as well as maintaining access to hosted services in case of hardware malfunction.

Bridge
In bridge mode Fudo Enterprise mediates communication between users and servers regardless
whether the traffic is being monitored (i.e. it uses any of supported protocols) or not.

Mediating packages transfer, Fudo Enterprise preserves source IP address when forwarding re-
quests to destination servers.
Such solution allows keeping existing rules on firewalls which control access to internal resources.
For more information on configuring bridge refer to the Network configuration topic.
Forced routing

3.3. Deployment scenarios 20

Fudo Enterprise 5.4 - System Documentation

Forced routing mode requires using a properly configured router. Such solution allows control-
ling network traffic in third ISO/OSI network layer, so only administrative requests are routed
through Fudo Enterprise and the rest of the traffic is forwarded directly to the destination server.

This mode does not require changes in existing network topology and enables network traffic
optimization due to separating requests from system administrators and regular users.
Related topics:
• Connection modes
• Managing servers
• User authentication methods and modes
• System overview
• Quick start - SSH connection configuration
• Quick start - RDP connection configuration
• Initial boot up

3.4 Connection modes

Deprecated since version 5.4

Fudo Enterprise 5.4 is the last version supporting transparent and gateway modes in the
listeners configuration. Listeners using these modes must be reconfigured to use proxy and
bastion modes before upgrading to the next release.

Transparent
In transparent mode, users connect to destination server using given server’s IP address.

3.4. Connection modes 21

Fudo Enterprise 5.4 - System Documentation

Gateway
In gateway mode, users connect to destination server using the server’s actual IP address. Fudo
Enterprise mediates connection with the server using own IP address. This ensures that the
traffic from the server to the user goes through Fudo Enterprise.

Proxy
In proxy mode, administrator connects to destination server using combination of Fudo Enter-
prise IP address and unique port number assigned to given server. Uniqueness of this combina-
tion enables establishing connection with a particular resource.

Such approach enables concealing actual IP addressing and allows configuring servers to only
accept requests sent from Fudo Enterprise.
Bastion

Note: The bastion mode is supported when connecting over SSH, RDP, VNC, Telnet, Telnet

3.4. Connection modes 22

Fudo Enterprise 5.4 - System Documentation

3270, Telnet 5250, MS SQL protocols.

In bastion mode, the target host is specified within the string identifying the user and the server
their are trying to connect to, e.g. ssh user#root#10.0.2.22. This enables facilitating access
to a group of monitored servers through the same IP address and port number combination.

While connecting, the Fudo Enterprise expects:

<username>[@domain][#<serverlogin>#<address>[:<port>]], where:
• <username>: User’s login on Fudo Enterprise,
• [@domain] is optional,
• <serverlogin>: user’s login on the target server,
• <address>: server address on the target server (the <port> can be omitted if native for
protocol).

Warning: # character in between is required.

Target object string is matched in the following sequence:

1. Exact username - Fudo Enterprise tries to match the string with object defined in the local
database.
2. Exact server address - Fudo Enterprise tries to match the string with an IP address of a
server object defined in the local database.
3. IP address returned by the DNS service - Fudo Enterprise queries the DNS service and
tries to match the returned IP address with an IP address of a server object defined in the
local database.
4. Hostname returned by the reverse DNS service - Fudo Enterprise queries the reverse DNS
service and tries to match the returned hostname with a sever object defined in the local
database.

Note: If an account object doesn’t have a login defined, the Fudo Enterprise system will ask
for a login while connecting to the target server.

Related topics:
• Deployment scenarios

3.4. Connection modes 23

Fudo Enterprise 5.4 - System Documentation

• Managing servers
• User authentication methods and modes
• System overview
• Quick start - SSH connection configuration
• Quick start - RDP connection configuration
• Initial boot up

3.5 User authentication methods and modes

User authentication methods

Before establishing connections with server, Fudo authorizes user using one of the following
authorization method:
• Static password ,
• Public key,
• CERB ,
• RADIUS ,
• LDAP ,
• Active Directory,
• OATH ,
• SMS ,
• DUO,
• Certificate.

Note:
• External authentication servers CERB, RADIUS, LDAP and Active Directory as well
as SMS and DUO require configuration. For more information, refer to the External
authentication topic.
• RDP, SSH and VNC protocols support user authentication over RADIUS in challenge-
response mode.

Authentication modes
After authenticating the user, Fudo proceeds with establishing connection with the target system
using original user credentials or substituting them with values stored locally or fetched from a
password vault.

Note: Due to specifics of VNC protocol, which authenticates the user using password only,
the login entered on the logon screen is ignored when establishing a VNC connection.

3.5. User authentication methods and modes 24

Fudo Enterprise 5.4 - System Documentation

Authentication with original login and password

In this authentication mode, Fudo uses login and password provided by the user upon logon to
authenticate the user on the target system.

Authentication with login and password substitution

In this authentication mode, Fudo substitutes user login and password with previously defined
ones.
Authentication with login and password substitution enables precise identification of the person
who connected to the server, in case a number of users use the same credentials to access the
server.

Note:
• The password to the target system can be either explicitly defined in the account or can
be obtained from internal or external password vault upon each access request. For more
information, refer to the Password changers and External passwords repositories topics.
• Due to specifics of VNC protocol, which authenticates the user using password only, the
login entered as the substitution string is ignored when establishing a VNC connection.

Note: In case of Oracle database, the user password and the privileged account password must
be both either shorter than 16 characters or 16-32 characters long.

Two-fold authentication
In two-fold authentication mode user is asked for login and password twice. Once for authenti-
cating against Fudo and once again to access the target system.
Authentication with password substitution
In this authentication mode, Fudo forwards login provided by user and substitutes the password
when establishing connection with the target system.

3.5. User authentication methods and modes 25

Fudo Enterprise 5.4 - System Documentation

Note:
• The password to the target system can be either explicitly defined in the connection or can
be obtained from the external passwords repository upon each access request. For more
information, refer to the External passwords repositories topic.
• Due to specifics of VNC protocol, which authenticates the user using password only, the
login entered on the logon screen is ignored when establishing a VNC connection.

Authentication by target server

In this mode, Fudo Enterprise forwards login credentials to the target host, which verifies whether
the user is authorized to access it. Verification status is returned to Fudo Enterprise, which
establishes monitored connection. Authentication by the target server is available only when
monitoring SSH connections or RDP with TLS + NLA security option enabled.
Administrator approved access
Fudo Enterprise can be configured so each connection to a monitored server will require approval
from the administrator using the administration interface.
Related topics:
• Creating a safe
• Approving pending user requests
• Declining pending requests
• System overview
• External authentication servers configuration
• Security measures

3.6 Security measures

3.6.1 Data encryption

Data stored on Fudo Enterprise is encrypted with AES-XTS algorithm using 256 bit encryption
keys. AES-XTS algorithm is most effective hard drive encryption solution.
Appliance

3.6. Security measures 26

Fudo Enterprise 5.4 - System Documentation

Encryption keys are stored on two USB flash drives. Flash drives delivered with Fudo Enterprise
are uninitialized. Keys initialization takes place during initial system boot-up, during which both
flash drives have to be connected (initiation procedure is described in chapter System initiation).
After encryption keys have been initiated and Fudo Enterprise has booted up, both USB flash
drives can be removed and placed somewhere safe. During daily operation, encryption key is
required only for system boot up. If safety procedures allow, one USB flash drive can stay
connected to Fudo Enterprise, which will allow Fudo Enterprise to boot up automatically in
case of a power outage or system reboot after software update.
Virtual machine distribution
Fudo Enterprise’s file system, running in virtual environment is encrypted using an encryption
phrase, which is set up during system initiation and has to be entered each time the system
boots up.
Database
Sensitive data, such as passwords, keys, logins, etc. are encrypted in the internal database itself.
The encryption key, called Master Key, is a random 256-bit key which is used to derive further
keys used to encrypt each section of database, such as Configuration information (User data,
Accounts, Safes, etc.), Database Backup and External Storage. Furthermore, Fudo makes use of
HMACs to “seal” the encrypted data. Master Key can be exported by superadministrator but
only when prior to MK export Fudo is provided a key to encrypt the Master Key itself.
Master Key export procedure allows superadministrator to create a backup of the Master Key,
without which data in the database as well as backups and external filesystems cannot be used.

3.6.2 Backups

User sessions data can be backed up on external servers running rsync service.

3.6.3 Permissions

Each data model entity, has a list of users defined, who are allowed to manage given object,
according to assigned user role.
For more information on user roles refer to Roles topic.

3.6.4 Sandboxing

Fudo Enterprise takes advantage of CAPSICUM sandboxing mechanism, which separates each
connection on Fudo Enterprise operating system level. Precise control over assigned system
resources and limiting access to information on the operating system itself, increase security and
greatly influence system’s stability and availability.

3.6. Security measures 27

Fudo Enterprise 5.4 - System Documentation

3.6.5 Reliability

System hardware configuration is optimized to deliver high performance and high availability.

3.6.6 Cluster configuration

Fudo Enterprise supports cluster configuration in multimaster mode where system configuration
(connections, servers, sessions, etc.) is synchronized on each cluster node and in case a given
node crashes, remaining nodes will immediately take over user connection requests ensuring
service continuity.

Warning: Cluster configuration does not facilitate data backup. If session data is deleted
on one of the cluster nodes, it is also deleted from other nodes.

Virtual IP addresses are aggregated in redundancy groups which enable facilitating static load
balancing while preserving cluster’s high availability nature.

Related topics:
• User authorization methods and modes
• System overview
• Quick start - SSH connection configuration
• Quick start - RDP connection configuration
• System initiation

3.6. Security measures 28

Fudo Enterprise 5.4 - System Documentation

3.7 Data model

Fudo Enterprise defines five base object types: user, server, account, safe and listener.
User defines a subject entitled to connect to servers within monitored IT infrastructure. Detailed
object definition (i.e. unique login and domain combination, full name, email address etc.)
enables precise accountability of user actions when login and password are substituted with a
shared account login credentials.
Server is a definition of the IT infrastructure resource, which can be accessed over one of the
specified protocols.
Account defines the privileged account existing on the monitored server. It specifies the actual
login credentials, user authentication mode: anonymous (without user authentication), regular
(with login credentials substitution) or forward (with login and password forwarding); password
changing policy as well as the password changer itself.
Safe directly regulates user access to monitored servers. It specifies available protocols’ features,
policies and other details concerning users and servers relations.
Listener determines server connection mode (proxy, gateway, transparent, bastion) as well as its
specifics.
Proper system operation requires configuration of servers, users, listeners, accounts and safes.

Warning: Data model objects: safes, users, servers, accounts and listeners are replicated
within the cluster and object instances must not be added on each node. In case the replica-
tion mechanism fails to copy objects to other nodes, contact technical support department.

Objects relations chart

Safe is the central data model object. It regulates access to monitores servers by specifying
privileged accounts on monitored servers along with the listeners which determine the actual
connection parameters (e.g. IP address, port number) depending on the given protocol. This
kind of data model allows for optimal objects’ management. A given server can be accessed

3.7. Data model 29

Fudo Enterprise 5.4 - System Documentation

differently as defined by the listener. A safe groups accounts enabling convenient control over
access to monitored resources.
Related topics:
• System overview
• User authorization methods and modes
• Quick start

3.8 Dashboard

Fudo Enterprise dashboard page enables quick access to essential status information. It com-
prises customizable dashlets allowing you to pick and choose the data that’s the most important
to you.

Note:
• Select Keep me logged in if you do not want Fudo to log you out automatically as long as
you are on the dashboard screen.
• Click Full screen to togge full-screen view.

3.8. Dashboard 30
Fudo Enterprise 5.4 - System Documentation

3.8.1 Widgets

New sessions Chart depicting the number of newly established connections

in a given time interval.
Concurrent sessions The current number of user sessions.
Suspicious sessions High-threat level sessions. The widget allows the following
timeline configurations for the sessions: last 12 hours, last
day, last week, and last month. The Suspicious sessions wid-
get also provides an URL to the filtered Sessions list with
Threat level: High criteria set so that administrator can
check what’s going on and quickly react.
Account alerts Number of accounts at risk of a security breach.
Active users Nubmer of currently connected users.
License Information on the active license.
Node Status information on the current Fudo Enterprise instance
as well as other nodes.
System logs Recent system events.

Note: Available widgets depend on the user role.

3.8.2 Adding, customizing and removind dashlets

1. Click the Dashlet’s market switcher to display available dashlets.

2. Drag and drop a dashlet onto the workspace.

3.8. Dashboard 31
Fudo Enterprise 5.4 - System Documentation

• Click and drag bottom-right corner of the dashlet to resize it.

• Click and drag the top-left corner to relocate the dashlet.
• Click arrows to change font-size.
• Click icon in the top-right corner. Then, click Remove to remove selected dashlet.

Note: Removed dashlets appear in the dashlets market area.

3.8.3 Hard drives status information

To view hard drive status information enable the Node dashlet and click the disks status icon.

Hard drive operates properly.

Data on the hard drive is being synchronized.
Data read/write errors - the hard drive does not operate properly and it is likely to fail
- contact the technical support to discuss hard drive replacement.
Hard drive failure - the hard drive must be replaced - contact the technical support to
discuss hard drive replacement.

3.8. Dashboard 32
Fudo Enterprise 5.4 - System Documentation

Related topics:
• Initial boot up
• Quick start - SSH connection configuration
• Quick start - RDP connection configuration

3.9 User Portal (Access Gateway)

Access Gateway enables browsing available resources and initiating connections with monitored
servers using selected listener.

Related topics:
• Requirements
• Data model
• Security measures

3.10 Third-Party Licenses

This section contains third-party license information for certain third-party products included
with Fudo Enterprise.
All the relevant licenses for third-party tools we depend on to deliver our product are available
here. Please click on the link to view copies of the licenses text.
If the indicated location does not contain a license for specific product, it means that it was not
provided by the developer.

3.9. User Portal (Access Gateway) 33

CHAPTER 4

System deployment

This topic describes Fudo Enterprise appliance and the system initiation procedure.

4.1 Requirements

Administration panel
System is managed in administration panel available through web browser. Recommended
browsers are Google Chrome, Mozilla Firefox and Microsoft Edge (Chromium based).
Network requirements
Correct operation requires:
• ability to establish connections to Fudo Enterprise on port 443, for administration pur-
poses,
• ability for users to connect to Fudo Enterprise and for Fudo Enterprise to connect to target
systems.
Hardware requirements
Fudo Enterprise is a complete solution combining both hardware and software. Installing system
requires 2U (F100x model) or 3U (F300x model) of space in 19” rack cabinet and connection to
network infrastructure.
Virtual appliance requirements

100 concurrent ses- 200 concurrent ses- 300 concurrent ses-

sions* sions* sions*
CPU 6 cores 20 cores 28 cores
RAM 32 GB 64 GB 128 GB

34
Fudo Enterprise 5.4 - System Documentation

6 months capacity 2 years capacity 7 years capacity**

Storage 24 TB 96 TB 288 TB

* Average 30% FullHD, 32bit graphical and 70% terminal sessions

** Calculated for 50 sessions created per day - 70% RDP FullHD 32bit and 30% SSH

Note: Storage size should be determined individually as it directly depends on the number of
sessions monitored and recorded by Fudo Enterprise.

Target virutalization environments:

• VMware Tools
• VirtualBox
• Proxmox
• Hyper-V
• Azure
VNC software client requirements
VNC connections require 24-bit (true color) mode, with encryption disabled.

4.2 Hardware overview

Fudo Enterprise is delivered in a 2U (F100x), 3U (F300x) or 4U (F500x) 19” rack server case.
Fudo Enterprise F1002
• Chassis: 19” 2U
• Dimensions: 89 mm (height), 437 mm (width), 647 mm (depth)
• PSU: 2x 920 W
• System memory: 32 GB
• Internal storage: 12x 2 TB, 2x 480 GB SSD
• Network interfaces:
– 4 x RJ45 Gigabit Ethernet LAN ports
– 1 x RJ45 Dedicated IPMI LAN port
The situation might be different, depending on the use of the expansion cards.

4.2. Hardware overview 35

Fudo Enterprise 5.4 - System Documentation

Fudo Enterprise F3002

• Chassis: 19” 3U
• Dimensions: 132 mm (height), 437 mm (width), 647 mm (depth)
• PSU: 2x 1000 W
• System memory: 64 GB

4.2. Hardware overview 36

Fudo Enterprise 5.4 - System Documentation

• Internal storage: 16x 6 TB HDD, 2x 480 GB SSD

• Network interfaces:
– 4 x RJ45 Gigabit Ethernet LAN ports
– 1 x RJ45 Dedicated IPMI LAN port
The situation might be different, depending on the use of the expansion cards.

4.2. Hardware overview 37

Fudo Enterprise 5.4 - System Documentation

Fudo Enterprise F5000

• Chassis: 19” 4U
• Dimensions: 178 mm (height), 437 mm (width), 699 mm (depth)
• PSU: 2x 1280 W
• System memory: 128 GB
• Internal storage: 36x 8 TB, 2x 480 GB SSD
• Network interfaces:
– 4 x RJ45 Gigabit Ethernet LAN ports
– 1 x RJ45 Dedicated IPMI LAN port
The situation might be different, depending on the use of the expansion cards.

4.2. Hardware overview 38

Fudo Enterprise 5.4 - System Documentation

Related topics:
• Initial boot up
• Quick start - SSH connection configuration
• Quick start - RDP connection configuration

4.2. Hardware overview 39

Fudo Enterprise 5.4 - System Documentation

4.3 System initiation

Appliance
Fudo Enterprise is delivered with two uninitiated USB flash drives. During initial boot up,
Fudo Enterprise generates encryption keys, which are stored on enclosed USB flash drives. More
information on encryption keys can be found in the Security measures chapter.
1. Install device in 19” rack cabinet.
2. Connect both power supply units to 230V/110V power outlets.

Note: Connecting both power supplies is necessary to start the system.

3. Connect network cable to one of the RJ-45 ports.

4. Connect both of the USB flash drives delivered with Fudo Enterprise.

Note: Initial boot up requires conecting both USB flash drives. More information on encryption
keys can be found in Security measures chapter.

5. Press the power button on the front panel.

6. After keys have been initiated, disconnect USB flash drives.

Warning:
• One of the USB flash drives containing encryption key must be disconnected and placed
in a secure location, accessible only to authorized personnel.
• If the USB flash drives with encryption keys are lost, device will not be able to boot up
and stored sessions will not be accessible. Manufacturer does not store any encryption
keys.

Note:
• In daily operation, one encryption key is required to start the system after which it can
be disconnected.

4.3. System initiation 40

Fudo Enterprise 5.4 - System Documentation

• It is advised to make a backup copy of the encryption key.

Setting IP address using system console

1. Connect monitor and keyboard to the device.
2. Enter administrator account login and press Enter.

Note: Default login credentials:

login: admin
password: proxycrypto
In cloud Fudo Enterprise versions virtual machine ID is usually set up as default password.
Please contact your Fudo Enterprise reseller to learn more.

3. Enter administrator account password and press Enter.

4.3. System initiation 41

Fudo Enterprise 5.4 - System Documentation

4. Enter 2 and press Enter to change network configuration.

5. Enter y and press Enter to proceed with resetting network configuration.

6. Enter the name of the new management interface (Fudo Enterprise web interface is acces-
sible through the management interface).

4.3. System initiation 42

Fudo Enterprise 5.4 - System Documentation

7. Enter IP address along with the network subnet mask separated with / (e.g. 10.0.0.8/24)
and press Enter.

8. Enter network gate and press Enter.

4.3. System initiation 43

Fudo Enterprise 5.4 - System Documentation

4.3.1 Virtual machine

Local Fudo Enterprise deployment is based on uploading the OVA / OVF file into virtualization
tool and running the Fudo Enterprise instance on browser. Please follow below chapters to
deploy Fudo Enterprise using the VMware or Proxmox virtualization tools. In order to proceed
the deployment, the OVA or OVF file is needed.
VMware Installation with OVA file
1. Click the Create / Register VM button.

2. In the modal window, select the Deploy a virtual machine from an OVF or OVA file option.
3. Select the downloaded OVA file and upload it, or just drag and drop it into the upload
area.

4.3. System initiation 44

Fudo Enterprise 5.4 - System Documentation

4. Enter a name for the virtual machine.

5. Select the storage option.
6. Select deployment options.

7. Click Finish and wait for the configuration file to be fully uploaded.
8. Initialize the machine by selecting its record.
9. Click the Console button and select the Launch remote console option. Select your appli-
cation and verify certificate.
10. In the console, provide a passphrase.

Note: The password is optional and can be left empty. However, if the password is provided,
the Fudo system encrypts it and asks for it every time the VM is rebooted.

11. Select the region and city by providing respective codes and confirming your choice.
12. Enter date and time in DD.MM.YYYY HH:MM format.

4.3. System initiation 45

Fudo Enterprise 5.4 - System Documentation

13. Set the network configuration:

a. Sign in as an administrator:
login: admin
password: proxycrypto
b. From the list of the Fudo configuration utility, select option 3 - Reset network settings.
c. Select new management interface and enter the IP address.

Note: Your Fudo Enterprise instance has been successfully initiated! Now you can enter the
registered IP address in your browser and start with your first configuration.

4.3. System initiation 46

Fudo Enterprise 5.4 - System Documentation

Proxmox Installation with OVF file

1. Create a new machine using cores, memory and VM name as read from the OVF manifest,
and import the disks to the local-zfs storage:
a. Log in to to a remote computer, for example, with ssh 10.0.2.33 and provide a
password.
b. In the folder fudo.install execute a command: qm importovf <vmid> <manifest>
<storage> [OPTIONS]
for example:
qm importovf 109 ./fudo-one-36271-release.ovf local-zfs

2. Wait for the manifest data to be imported.

3. In the Proxmox client find your server and open settings for your 109
(fudo-one-36271-release) virtual machine.
4. In the Hardware section, change the Hard Disk options into the Write back cache, and in
Advanced section check the SSD emulation option, then the Discard option. Click OK.
5. In the SCSI Controller section, select the VirtIO SCSI option as a SCSI controller type.
6. Add a new Network Device and in the Model field select the VirtIO (paravirtualized)
option.

4.3. System initiation 47

Fudo Enterprise 5.4 - System Documentation

7. Click the Start option.

8. Go to the Console.

9. Select the region and city by providing respective codes and confirming your choice.
10. Enter date and time in DD.MM.YYYY HH:MM format.
11. Set the network configuration:
a. Sign in as an administrator:

4.3. System initiation 48

Fudo Enterprise 5.4 - System Documentation

login: admin
password: proxycrypto
b. From the list of the Fudo configuration utility, select the option 3 - Reset network
settings.
c. Select new management interface and enter the IP address with a mask.
d. Enter a new default gateway IP address.

Note: Your Fudo Enterprise instance has been successfully initiated!

12. Enter the registered IP address in your browser bar and sign in as an administrator.
13. In the Network configuration settings input a name for the Access Gateway address. Click
Save.
14. Add a new DNS server address in the Name & DNS sub-tab. Click Save.
15. In the System settings, add a new NTP server address. Click Save.
16. From the contextual menu in the upper right corner, select the Restart option.
17. Wait for the system to be restarted and sign in back again.

Note: Now you can start with your first configuration!

Related topics:
• Requirements
• Quick start - SSH connection configuration
• Quick start - RDP connection configuration
• System overview
• Security measures

4.3. System initiation 49

CHAPTER 5

Quick start

5.1 SSH

This chapter contains an example of a basic Fudo Enterprise configuration, to monitor SSH
access to a remote server. In this scenario, the user connects to the remote server over the SSH
protocol and logs in to the Fudo Enterprise using an individual login and password combination
(john_smith/john). When establishing the connection with the remote server, Fudo Enter-
prise substitutes the login and the password with the previously defined values: root/password
(authentication modes are described in the User authentication modes section).

50
Fudo Enterprise 5.4 - System Documentation

5.1.1 Prerequisites

Description below assumes that the system has been already initiated. The initiation procedure
is described in the System initiation topic.

5.1.2 Configuration

Adding a server
Server is a definition of the IT infrastructure resource, which can be accessed over one of the
specified protocols.
1. Select Management > Servers.
2. Click + Add server.
3. Provide essential configuration parameters:

Parameter Value
General
Name ssh_server
Description
Blocked
Protocol SSH
Legacy ciphers
Bind address Any

Permissions
Granted users

Destination
Address 10.0.150.151
Mask 32
Port 22
Server verification None

4. Click Save or Save and close.

Adding a user
User defines a subject entitled to connect to servers within monitored IT infrastructure. Detailed
object definition (i.e. unique login and domain combination, full name, email address etc.)
enables precise accountability of user actions when login and password are substituted with a
shared account login credentials.
1. Select Management > Users.

5.1. SSH 51
Fudo Enterprise 5.4 - System Documentation

2. Click + Add.
3. Provide essential user information:

Parameter Value
General
Name john_smith
Role user
Blocked
Account validity Indefinite

Settings Tab
Safes

Authentication section
Authentication failures
Enforce password complex-
ity
Add authentication Static password
method:
Password john

User Data Tab

Fudo domain
AD Domain
LDAP Base
Full name John Smith
Email [email protected]
Organization
Phone

Permissions Tab
Granted users

4. Click Save.
Adding a listener
Listener determines server connection mode (proxy, gateway, transparent, bastion) as well as its
specifics.
1. Select Management > Listeners.
2. Click + Add.
3. Provide essential configuration parameters:

5.1. SSH 52
Fudo Enterprise 5.4 - System Documentation

Parameter Value
General
Name ssh_listener
Blocked
Protocol SSH
Legacy ciphers
Case insensitivity

Permissions
Granted users

Connection
Mode proxy
Local address 10.0.150.152
Port 1022
External address
External port

4. Generate or upload proxy server’s private key.

Note: For security reasons the form displays server’s public key derived from the generated or
uploaded private key.

5. Click Save.
Adding an account
Account defines the privileged account existing on the monitored server. It specifies the actual
login credentials, user authentication mode: anonymous (without user authentication), regular
(with login credentials substitution) or forward (with login and password forwarding); password
changing policy as well as the password changer itself.
1. Select Management > Accounts.
2. Click + Add.
3. Provide essential configuration parameters:

5.1. SSH 53
Fudo Enterprise 5.4 - System Documentation

Parameter Value
General
Name SSH-account
Blocked
Type regular
Session recording all
Notes

Data retention
Override global retention
settings
Delete session data after 61 days

Permissions
Granted users

Server
Server ssh_server

Credentials
Domain
Login root
Replace secret with with password
Password password
Repeat password password
Password change policy Static, without restrictions

4. Generate or upload proxy server’s private key.

Note: For security reasons the form displays server’s public key derived from the generated or
uploaded private key.

5. Click Save.
Defining a safe
Safe directly regulates user access to monitored servers. It specifies available protocols’ features,
policies and other details concerning users and servers relations.
1. Select Management > Safes.
2. Click + Add.
3. Provide essential configuration parameters:

5.1. SSH 54
Fudo Enterprise 5.4 - System Documentation

Parameter Value
General
Name ssh_safe
Notifications
Login reason
Require approval
Policies
Note access No access

Protocol functionality
RDP
SSH
VNC

4. Select Users tab.

5. Click + Add user.

6. Find John and click .

7. Click OK.
8. Select Accounts tab.
9. Click + Add account.

10. Find the SSH-account object and click .

11. Click OK.
12. Click in the Listeners column.

13. Find the ssh_listener object and click .

14. Click OK.
15. Click Save.

5.1.3 Establishing connection

At this point john_smith can connect to the target host over the SSH protocol.
Example:

5.1. SSH 55
Fudo Enterprise 5.4 - System Documentation

Note: Note that the fingerprint displayed when connecting to the target host for the first time
is the same as was generated during server configuration.

After accepting the connection, user will be asked for the password. After successful authenti-
cation Fudo Enterprise starts recording user’s activities.

5.1.4 Viewing user session

1. Open a web browser and go to the 10.0.150.151 web address.

2. Enter the login and password to login to the Fudo Enterprise administration panel.
3. Select Management > Sessions.
4. Find the session and click the playback icon.

Related topics:
• PuTTY
• Requirements

5.1. SSH 56
Fudo Enterprise 5.4 - System Documentation

• Data model
• Quick start - RDP connection configuration
• Quick start - HTTP connection configuration
• Quick start - MySQL connection configuration
• Quick start - Telnet connection configuration

5.2 SSH in bastion mode

This chapter contains an example of a basic Fudo Enterprise configuration, to monitor SSH
access in bastion mode. In this scenario, the user connects to the remote server over the SSH
protocol and logs in to the Fudo Enterprise using an individual login and password combination
(john_smith/john). The user specifies user name along with account login on the target server
and target server address in the login string (john_smith#root#192.168.0.110) and connects to
it over default SSH port number. Upon establishing connection, login credentials are substituted
with the previously defined values: root/password (authentication modes are described in the
User authentication modes section).

5.2.1 Prerequisites

Description below assumes that the system has been already initiated. The initiation procedure
is described in the System initiation topic.

5.2.2 Configuration

5.2. SSH in bastion mode 57

Fudo Enterprise 5.4 - System Documentation

Parameter Value
General
Name ssh_server
Description
Blocked
Protocol SSH
Legacy ciphers
Bind address Any

Permissions
Granted users

Destination
Address 192.168.0.100
Mask 32
Port 22
Server verification None

4. In the Server verification section select Server public key and provide respective public
key data or click Get public key.
5. Click Save or Save and close.
Adding a user
User defines a subject entitled to connect to servers within monitored IT infrastructure. Detailed
object definition (i.e. unique login and domain combination, full name, email address etc.)
enables precise accountability of user actions when login and password are substituted with a
shared account login credentials.
1. Select Management > Users.
2. Click + Add.
3. Provide essential user information:

5.2. SSH in bastion mode 58

Fudo Enterprise 5.4 - System Documentation

Parameter Value
General
Name john_smith
Role user
Blocked
Account validity Indefinite

Settings Tab
Safes

Authentication section
Authentication failures
Enforce password complex-
ity
Add authentication Static password
method:
Password john

User Data Tab

Fudo domain
AD Domain
LDAP Base
Full name John Smith
Email [email protected]
Organization
Phone

Permissions Tab
Granted users

5.2. SSH in bastion mode 59

Fudo Enterprise 5.4 - System Documentation

Parameter Value
General
Name ssh_listener
Blocked
Protocol SSH
Legacy ciphers
Case insensitivity

Permissions
Granted users

Connection
Mode bastion
Local address 10.0.150.151
Port 22
External address
External port

4. Generate or upload proxy server’s private key.

Note: For security reasons the form displays server’s public key derived from the generated or
uploaded private key.

5.2. SSH in bastion mode 60

Fudo Enterprise 5.4 - System Documentation

Parameter Value
General
Name admin_ssh_server
Blocked
Account type regular
Session recording all
Notes

Data retention
Override global retention
settings
Delete session data after 61 days

Permissions
Granted users

Server
Server ssh_server

Credentials
Domain
Login root
Replace secret with with password
Password password
Repeat password password
Password change policy Static, without restrictions

4. Generate or upload proxy server’s private key.

Note: For security reasons the form displays server’s public key derived from the generated or
uploaded private key.

5.2. SSH in bastion mode 61

Fudo Enterprise 5.4 - System Documentation

Parameter Value
General
Name ssh_safe
Notifications
Login reason
Require approval
Policies
Note access No access

Protocol functionality
RDP
SSH
VNC

4. Select Users tab.

5. Click + Add user.

6. Find john_smith and click .

7. Click OK.
8. Select Accounts tab.
9. Click + Add account.

10. Find the admin_ssh_server object and click .

11. Click OK.
12. Click in the Listeners column.

13. Find the ssh_listener object and click .

14. Click OK.
15. Click Save.

5.2.3 Establishing connection

PuTTY - SSH client for Microsoft Windows

1. Download and launch PuTTY.
2. In the Host Name (or IP address) field, enter 10.0.150.151.
3. Select the SSH connection type and leave the default port number unchanged.

5.2. SSH in bastion mode 62

Fudo Enterprise 5.4 - System Documentation

4. Click Open.
5. Enter user name along with account login on the target server and target server address.

6. Enter password.

5.2. SSH in bastion mode 63

Fudo Enterprise 5.4 - System Documentation

Command line interface

Launch terminal and run ssh command using following format:

ssh -l <fudo-user>#<server-user>#<server-address> <fudo-address>

Example:

ssh -l john_smith#root#192.168.0.110 10.0.150.151

5.2.4 Viewing user session

1. Open a web browser and enter the Fudo Enterprise administrator panel IP address.
2. Enter the login and password to login to the Fudo Enterprise administration panel.
3. Select Management > Sessions.
4. Find John Smith’s session and click the playback icon.
Related topics:
• Requirements
• Data model
• Quick start - RDP connection configuration
• Quick start - HTTP connection configuration
• Quick start - MySQL connection configuration
• Quick start - Telnet connection configuration

5.3 RDP

This chapter contains an example of a basic Fudo Enterprise configuration, to monitor RDP
access to a remote server. In this scenario, the user connects to the remote server over the RDP
protocol and logs in to the Fudo Enterprise using an individual login and password combination
(john_smith/john). When establishing the connection with the remote server, Fudo Enterprise
substitutes the login with specified in Account and the password with the password managed
by a password changer (authentication modes are described in the User authentication modes
section).

5.3. RDP 64
Fudo Enterprise 5.4 - System Documentation

5.3.1 Prerequisites

Description below assumes that the system has been already initiated. The initiation procedure
is described in the System initiation topic.

5.3.2 Configuration

Parameter Value
Name rdp_server
Description
Blocked
Protocol RDP
TLS enabled
NLA enabled
Legacy ciphers
Inform about existing con-
nection
Bind address 10.0.150.151

Permissions
Granted users

Destination
Address 10.0.35.54
Mask 32
Port 3389
Server verification None

4. Click Save or Save and close.

5.3. RDP 65
Fudo Enterprise 5.4 - System Documentation

enables precise accountability of user actions when login and password are substituted with a
shared account login credentials.
1. Select Management > Users.
2. Click + Add.
3. Provide essential user information:

Parameter Value
General
Name john_smith
Role user
Blocked
Account validity Indefinite

Settings Tab
Safes

Authentication section
Authentication failures
Enforce password complex-
ity
Add authentication Static password
method:
Password john

User Data Tab

Fudo domain
AD Domain
LDAP Base
Full name John Smith
Email [email protected]
Organization
Phone

Permissions Tab
Granted users

4. Click Save.
Adding a listener
Listener determines server connection mode (proxy, gateway, transparent, bastion) as well as its
specifics.
1. Select Management > Listeners.
2. Click + Add.

5.3. RDP 66
Fudo Enterprise 5.4 - System Documentation

3. Provide essential configuration parameters:

Parameter Value
General
Name rdp_listener
Blocked
Protocol RDP
Security Standard RDP Security
Announcement

Permissions
Granted users

Connection
Mode proxy
Local address 10.0.150.151
Port 3389
External address
External port

4. Generate or upload proxy server’s private key.

Note: For security reasons the form displays server’s public key derived from the generated or
uploaded private key.

5.3. RDP 67
Fudo Enterprise 5.4 - System Documentation

Parameter Value
General
Name admin_rdp_server
Blocked
Type regular
Session recording all
OCR sessions
OCR Language English
Notes

Data retention
Override global retention
settings
Delete session data after 61 days

Permissions
Granted users

Server
Server rdp_server

Credentials
Domain
Login administrator
Replace secret with with password
Password password
Repeat password password
Password change policy Static, without restrictions

4. Click Save.
Defining a safe
Safe directly regulates user access to monitored servers. It specifies available protocols’ features,
policies and other details concerning users and servers relations.
1. Select Management > Safes.
2. Click + Add.
3. Provide essential configuration parameters:

5.3. RDP 68
Fudo Enterprise 5.4 - System Documentation

Parameter Value
General
Name rdp_safe
Blocked
Notifications
Login reason
Requires approval
Policies
Note access No access
Users john_smith

Protocol functionality
RDP
SSH
VNC

4. Select Users tab.

5. Click + Add user.

6. Find John and click .

7. Click OK.
8. Select Accounts tab.
9. Click + Add account.

10. Find the admin_rdp_server object and click .

11. Click OK.
12. Click in the Listeners column.

13. Find the rdp_listener object and click .

14. Click OK.
15. Click Save.

5.3.3 Establishing an RDP connection with a remote host

1. Launch RDP client of your choice.

2. Enter destination host IP address and RDP service port number.

5.3. RDP 69
Fudo Enterprise 5.4 - System Documentation

3. Enter user login and password and press the [Enter] keyboard key.

5.3. RDP 70
Fudo Enterprise 5.4 - System Documentation

Note: Fudo Enterprise enables using custom login, no access and session termination screens
for RDP and VNC connections. For more information on user defined images for graphical
remote sessions, refer to the Resources topic.

5.3.4 Viewing user session

1. Open a web browser and go to the 10.0.150.151 web address.

2. Enter the login and password to login to the Fudo Enterprise administration panel.
3. Select Management > Sessions.
4. Find John Smith’s session and click the playback icon.

Related topics:
• Microsoft Remote Desktop
• Requirements
• Data model

5.3. RDP 71
Fudo Enterprise 5.4 - System Documentation

• Quick start - RDP connection configuration

• Quick start - HTTP connection configuration
• Quick start - MySQL connection configuration
• Quick start - Telnet connection configuration

5.4 RDP in bastion mode

This chapter contains an example of a basic Fudo Enterprise configuration, to monitor RDP
access to a remote server. In this scenario, the user connects to the remote server in bastion
mode by specifying the user name along with account login on the target server and target server
address in the login string. Bastion mode enables facilitating privileged accounts monitoring
while preserving default protocols port numbers.

5.4.1 Prerequisites

Description below assumes that the system has been already initiated. The initiation procedure
is described in the System initiation topic.

5.4.2 Configuration

5.4. RDP in bastion mode 72

Fudo Enterprise 5.4 - System Documentation

Parameter Value
Name rdp_server
Description
Blocked
Protocol RDP
TLS enabled
NLA enabled
Legacy ciphers
Inform about existing con-
nection
Bind address 10.0.150.151

Permissions
Granted users

Destination
Address 10.0.35.54
Mask 32
Port 3389
Server verification None

4. Click Save or Save and close.

5.4. RDP in bastion mode 73

Fudo Enterprise 5.4 - System Documentation

Parameter Value
General
Name john_smith
Role user
Blocked
Account validity Indefinite

Settings Tab
Safes

Authentication section
Authentication failures
Enforce password complex-
ity
Add authentication Static password
method:
Password john

User Data Tab

Fudo domain
AD Domain
LDAP Base
Full name John Smith
Email [email protected]
Organization
Phone

Permissions Tab
Granted users

5.4. RDP in bastion mode 74

Fudo Enterprise 5.4 - System Documentation

Parameter Value
General
Name rdp_listener_bastion
Blocked
Protocol RDP
Security Standard RDP Security
Announcement

Permissions
Granted users

Connection
Mode bastion
Local address 10.0.150.151
Port 3389
External address
External port

4. Generate or upload proxy server’s private key.

Note: For security reasons the form displays server’s public key derived from the generated or
uploaded private key.

5.4. RDP in bastion mode 75

Fudo Enterprise 5.4 - System Documentation

Parameter Value
General
Name admin_rdp_server
Blocked
Type regular
Session recording all
OCR sessions
OCR Language English
Notes

Data retention
Override global retention
settings
Delete session data after 61 days

Permissions
Granted users

Server
Server rdp_server

Credentials
Domain
Login admin
Replace secret with with password
Password password
Repeat password password
Password change policy Static, without restrictions

5.4. RDP in bastion mode 76

Fudo Enterprise 5.4 - System Documentation

Parameter Value
General
Name rdp_safe
Blocked
Notifications
Login reason
Require approval
Policies
Note access No access

Protocol functionality
RDP
SSH
VNC

4. Select Users tab.

5. Click + Add user.

6. Find john_smith and click .

7. Click OK.
8. Select Accounts tab.
9. Click + Add account.

10. Find the admin_rdp_server object and click .

11. Click OK.
12. Click in the Listeners column.

13. Find the rdp_listener_bastion object and click .

14. Click OK.
15. Click Save.

5.4.3 Establishing an RDP connection with a remote host

1. Launch RDP client of your choice.

2. Enter destination host IP address and RDP service port number.
3. Enter user name along with account login on the target server and target server address
(john_smith#admin#10.0.35.54) and provide password.

5.4. RDP in bastion mode 77

Fudo Enterprise 5.4 - System Documentation

Note:
• In case you do not specify login credentials, Fudo will display the internal login screen to
enter the account name along with the username and password.

• In case the specified account is not found, Fudo Enterprise will try to match the name
with a server object. If a matching server is not found, system tries to match the string
to a host’s DNS name.
• Fudo Enterprise enables using a custom logo on the login screen for RDP and VNC con-
nections. For more information refer to the Resources topic.

5.4. RDP in bastion mode 78

Fudo Enterprise 5.4 - System Documentation

5.4.4 Viewing user session

1. Open a web browser and enter the Fudo Enterprise administrator panel IP address.

Note: Make sure that the entered IP address has the control panel sharing option enabled in
the Network configuration settings.

2. Enter the login and password to login to the Fudo Enterprise administration panel.
3. Select Management > Sessions.
4. Find John Smith’s session and click the playback icon.

5.4. RDP in bastion mode 79

Fudo Enterprise 5.4 - System Documentation

Related topics:
• Microsoft Remote Desktop
• Requirements
• Data model
• Quick start - RDP connection configuration
• Quick start - HTTP connection configuration
• Quick start - MySQL connection configuration
• Quick start - Telnet connection configuration

5.5 Telnet

This chapter contains an example of a basic Fudo Enterprise configuration, to monitor Telnet
connections to a remote server. In this scenario, the user connects to the remote server using
Telnet client and logs in using individual login and password. Fudo Enterprise authenticates
the user against the information stored in the local database, establishes connection with the
remote server and starts recording.

Note: Telnet connections do not support login credentials forwarding and login credentials
substitution. When connecting to target host over telnet protocol, users are asked to provide
their login credentials twice. First time to authenticate against Fudo Enterprise and then again,
to connect to the target host.

5.5. Telnet 80
Fudo Enterprise 5.4 - System Documentation

5.5.1 Prerequisites

Description below assumes that the system has been already initiated. For more information on
the initiation procedure refer to the System initiation topic.

5.5.2 Configuration

Parameter Value
General
Name telnet_server
Description
Blocked
Protocol Telnet 5250
TLS enabled
Bind address Any

Permissions
Granted users

Destination
Address 10.0.35.137
Mask 32
Port 23

4. Click Save or Save and close.

5.5. Telnet 81
Fudo Enterprise 5.4 - System Documentation

3. Provide essential user information:

Parameter Value
General
Name john_smith
Role user
Blocked
Account validity Indefinite

Settings Tab
Safes

Authentication section
Authentication failures
Enforce password complex-
ity
Add authentication Static password
method:
Password john

User Data Tab

Fudo domain
AD Domain
LDAP Base
Full name John Smith
Email [email protected]
Organization
Phone

Permissions Tab
Granted users

5.5. Telnet 82
Fudo Enterprise 5.4 - System Documentation

Parameter Value
General
Name telnet_listener
Blocked
Protocol Telnet

Permissions
Granted users

Connection
Mode proxy
Local address 10.0.150.151
Port 23
Use TLS

4. Click Save.
Adding an account
Account defines the privileged account existing on the monitored server. It specifies the actual
login credentials, user authentication mode: anonymous (without user authentication), regular
(with login credentials substitution) or forward (with login and password forwarding); password
changing policy as well as the password changer itself.
1. Select Management > Accounts.
2. Click + Add.
3. Provide essential configuration parameters:

5.5. Telnet 83
Fudo Enterprise 5.4 - System Documentation

Parameter Value
General
Name admin_telnet_server
Blocked
Type forward
Session recording all
Notes

Data retention
Override global retention
settings
Delete session data after 61 days

Permissions
Granted users

Server
Server telnet_server

Credentials
Replace secret with with password
Password
Repeat password
Forward domain

5.5. Telnet 84
Fudo Enterprise 5.4 - System Documentation

Parameter Value
General
Name telnet_safe
Blocked
Notifications
Login reason
Require approval
Policies
Note access

Protocol functionality
RDP
SSH
VNC

Permissions
Granted users

4. Select Users tab.

5. Click + Add user.

6. Find John and click .

7. Click OK.
8. Select Accounts tab.
9. Click + Add account.

10. Find the admin_telnet_server object and click .

11. Click OK.
12. Click in the Listeners column.

13. Find the telnet_listener object and click .

14. Click OK.
15. Click Save.

5.5. Telnet 85
Fudo Enterprise 5.4 - System Documentation

5.5.3 Establishing a telnet connection with the remote host

1. Launch telnet client of your choice.

2. Connect to the remote host:

telnet> open 10.0.150.151

Trying 10.0.150.151...
Connected to 10.0.150.151.
Escape character is '^]'.

3. Provide user authentication information defined on Fudo Enterprise:

FUDO Authentication.
FUDO Login: john_smith
FUDO Password:

4. Provide user authentication information defined on the target host:

FreeBSD/amd64 (fbsd83-cerb.whl) (pts/0)

Note: Telnet connections do not support user credentials substitution.

5.5.4 Viewing user’s session

1. Open a web browser and go to the 10.0.150.151 web address.

2. Enter the login and the password to log in to the Fudo Enterprise administration panel.
3. Select Management > Sessions.
4. Find John Smith’s session and click the playback icon.

Related topics:
• Quick start - SSH connection configuration
• Quick start - HTTP connection configuration
• Quick start - MySQL connection configuration
• Quick start - RDP connection configuration
• Requirements

5.5. Telnet 86
Fudo Enterprise 5.4 - System Documentation

• Data model
• Resources

5.6 Telnet 5250

This chapter contains an example of a basic Fudo Enterprise configuration, to monitor Telnet
5250 connections to a remote server. In this scenario, the user connects to the remote server using
Telnet client and logs in using individual login and password. Fudo Enterprise authenticates
the user against the information stored in the local database, establishes connection with the
remote server and starts recording.

5.6.1 Prerequisites

Description below assumes that the system has been already initiated. For more information on
the initiation procedure refer to the System initiation topic.

5.6.2 Configuration

Adding a server
Server is a definition of the IT infrastructure resource, which can be accessed over one of the
specified protocols.
1. Select Management > Servers.
2. Click + Add and select Static server.
3. Provide essential configuration parameters:

5.6. Telnet 5250 87

Fudo Enterprise 5.4 - System Documentation

Parameter Value
General
Name telnet_server
Description
Blocked
Protocol Telnet 5250
TLS enabled
Bind address Any

Permissions
Granted users

Destination
Address 10.0.35.137
Mask 32
Port 23

4. Click Save or Save and close.

5.6. Telnet 5250 88

Fudo Enterprise 5.4 - System Documentation

Parameter Value
General
Name john_smith
Role user
Blocked
Account validity Indefinite

Settings Tab
Safes

Authentication section
Authentication failures
Enforce password complex-
ity
Add authentication Static password
method:
Password john

User Data Tab

Fudo domain
AD Domain
LDAP Base
Full name John Smith
Email [email protected]
Organization
Phone

Permissions Tab
Granted users

5.6. Telnet 5250 89

Fudo Enterprise 5.4 - System Documentation

Parameter Value
General
Name telnet_listener
Blocked
Protocol Telnet 5250

Permissions
Granted users

Connection
Mode proxy
Local address 10.0.150.151
Port 23
Use TLS
Legacy ciphers
Server certificate

5.6. Telnet 5250 90

Fudo Enterprise 5.4 - System Documentation

Parameter Value
General
Name admin_telnet_server
Blocked
Type forward
Session recording all
Notes

Data retention
Override global retention
settings
Delete session data after 61 days

Permissions
Granted users

Server
Server telnet_server

Credentials
Replace secret with with password
Password
Repeat password
Forward domain

5.6. Telnet 5250 91

Fudo Enterprise 5.4 - System Documentation

Parameter Value
General
Name telnet_safe
Blocked
Notifications
Login reason
Require approval
Policies
Note access

Protocol functionality
RDP
SSH
VNC

Permissions
Granted users

4. Select Users tab.

5. Click + Add user.

6. Find John and click .

7. Click OK.
8. Select Accounts tab.
9. Click + Add account.

10. Find the admin_telnet_server object and click .

11. Click OK.
12. Click in the Listeners column.

13. Find the telnet_listener object and click .

14. Click OK.
15. Click Save.

5.6. Telnet 5250 92

Fudo Enterprise 5.4 - System Documentation

5.6.3 Establishing a telnet connection with the remote host

1. Launch telnet client of your choice.

2. Connect to the remote host:

telnet> open 10.0.150.151

Trying 10.0.150.151...
Connected to 10.0.150.151.
Escape character is '^]'.

3. Provide user authentication information defined on Fudo Enterprise:

4. Provide user authentication information defined on the target host:

FreeBSD/amd64 (fbsd83-cerb.whl) (pts/0) login: password:

Note: Telnet connections do not support user credentials substitution.

5.6. Telnet 5250 93

Fudo Enterprise 5.4 - System Documentation

5.6.4 Viewing user’s session

1. Open a web browser and go to the 10.0.150.151 web address.

2. Enter the login and the password to log in to the Fudo Enterprise administration panel.
3. Select Management > Sessions.
4. Find John Smith’s session and click the playback icon.

Related topics:
• Quick start - SSH connection configuration

5.6. Telnet 5250 94

Fudo Enterprise 5.4 - System Documentation

• Quick start - HTTP connection configuration

• Quick start - MySQL connection configuration
• Quick start - RDP connection configuration
• Requirements
• Data model
• Resources

5.7 MySQL

This chapter contains an example of a basic Fudo Enterprise configuration, to monitor SQL
queries to a remote MySQL database server.
In this scenario, the user connects to a MySQL database using individual login and password.
When establishing the connection with the remote server, Fudo Enterprise substitutes the login
and the password with the previously defined values: root/password (authorization modes are
described in the User authorization modes section).

Warning: Note that the MySQL server caching_sha2_password plugin isn’t sup-
ported by Fudo Enterprise. Supportable MySQL plugins by Fudo Enterprise are
mysql_native_password and mysql_old_password. Server plugin should be set to
mysql_native_password in /etc/mysql/mysql.conf.d/mysqld.cnf and a User object is
created with mysql_native_password plugin.

5.7.1 Prerequisites

The following description assumes that the system has been already initiated. For more infor-
mation on the initiation procedure refer to the System initiation topic.

5.7. MySQL 95
Fudo Enterprise 5.4 - System Documentation

5.7.2 Configuration

Parameter Value
General
Name mysql_server
Description
Blocked
Protocol MySQL
Bind address Any

Permissions
Granted users

Destination
Address 10.0.1.35
Mask 32
Port 3306

4. Click Save or Save and close.

5.7. MySQL 96
Fudo Enterprise 5.4 - System Documentation

Parameter Value
General
Name john_smith
Role user
Blocked
Account validity Indefinite

Settings Tab
Safes

Authentication section
Authentication failures
Enforce password complex-
ity
Add authentication Static password
method:
Password john

User Data Tab

Fudo domain
AD Domain
LDAP Base
Full name John Smith
Email [email protected]
Organization
Phone

Permissions Tab
Granted users

5.7. MySQL 97
Fudo Enterprise 5.4 - System Documentation

Parameter Value
General
Name mysql_listener
Blocked
Protocol Mysql

Permissions
Granted users

Connection
Mode proxy
Local address 10.0.150.151
Port 3306

5.7. MySQL 98
Fudo Enterprise 5.4 - System Documentation

Parameter Value
General
Name admin_mysql_server
Blocked
Type regular
Session recording all
Notes

Data retention
Override global retention
settings
Delete session data after 61 days

Permissions
Granted users

Server
Server mysql_server

Credentials
Domain
Login root
Replace secret with with password
Password password
Repeat password password
Password change policy Static, without restrictions

5.7. MySQL 99
Fudo Enterprise 5.4 - System Documentation

Parameter Value
General
Name mysql_safe
Blocked
Notifications
Login reason
Require approval
Policies
Note access No access

Protocol functionality
RDP
SSH
VNC

4. Select Users tab.

5. Click + Add user.

6. Find John and click .

7. Click OK.
8. Select Accounts tab.
9. Click + Add admin_mysql_server.

10. Find the twitter_admin object and click .

11. Click OK.
12. Click in the Listeners column.

13. Find the mysql_listener object and click .

14. Click OK.
15. Click Save.

5.7.3 Establishing connection with a MySQL database

1. Launch a command line interface client.

2. Enter mysql -h 10.0.150.151 -u john_smith -p, to connect to the database server.
3. Enter the user’s password.

5.7. MySQL 100

Fudo Enterprise 5.4 - System Documentation

4. Continue browsing the database contents using SQL queries.

5.7.4 Viewing user session

1. Open a web browser and go to the Fudo Enterprise administration page.

2. Enter user login and password to log in to Fudo Enterprise administration panel.
3. Select Management > Sessions.
4. Find John Smith’s session and click the playback icon.

5.7. MySQL 101

Fudo Enterprise 5.4 - System Documentation

Related topics:
• Quick start - SSH connection configuration
• Quick start - RDP connection configuration
• Quick start - HTTP connection configuration
• Quick start - Telnet connection configuration
• Requirements
• Data model

5.8 MS SQL

This chapter contains an example of a basic Fudo Enterprise configuration, to monitor MS SQL
connections to a remote MS SQL database server.
In this scenario, the user connects to a MS SQL database using individual login and password
using SQL Server Management Studio. When establishing the connection with the remote
server, Fudo Enterprise substitutes the login and the password with the previously defined
values: fudo/password (authorization modes are described in the User authorization modes
section).

5.8. MS SQL 102

Fudo Enterprise 5.4 - System Documentation

5.8.1 Prerequisites

The following description assumes that the system has been already initiated. For more infor-
mation on the initiation procedure refer to the System initiation topic.

Note: Make sure that the SQL Server has the SQL Server and Windows Authentication mode
enabled.

5.8. MS SQL 103

Fudo Enterprise 5.4 - System Documentation

5.8.2 Configuration

Parameter Value
General
Name mssql_server
Description
Blocked
Protocol MS SQL (TDS)
Bind address Any

Permissions
Granted users

Destination
Address 10.0.150.154
Mask 32
Port 1433

4. Click Save or Save and close.

5.8. MS SQL 104

Fudo Enterprise 5.4 - System Documentation

Parameter Value
General
Name john_smith
Role user
Blocked
Account validity Indefinite

Settings Tab
Safes

Authentication section
Authentication failures
Enforce password complex-
ity
Add authentication Static password
method:
Password john

User Data Tab

Fudo domain
AD Domain
LDAP Base
Full name John Smith
Email [email protected]
Organization
Phone

Permissions Tab
Granted users

5.8. MS SQL 105

Fudo Enterprise 5.4 - System Documentation

Parameter Value
General
Name MSSQL_proxy
Blocked
Protocol MS SQL (TDS)

Permissions
Granted users

Connection
Mode proxy
Local address 10.0.150.150
Port 1433

5.8. MS SQL 106

Fudo Enterprise 5.4 - System Documentation

Parameter Value
General
Name admin_mssql_server
Blocked
Type regular
Session recording all
Notes

Data retention
Override global retention
settings
Delete session data after 61 days

Permissions
Granted users

Server
Server mssql_server

Credentials
Domain
Login fudo
Replace secret with with password
Password password
Repeat password password
Password change policy Static, without restrictions

5.8. MS SQL 107

Fudo Enterprise 5.4 - System Documentation

Parameter Value
General
Name mssql_safe
Blocked
Notifications
Login reason
Require approval
Policies
Note access No access

Protocol functionality
RDP
SSH
VNC

4. Select Users tab.

5. Click + Add user.

6. Find John and click .

7. Click OK.
8. Select Accounts tab.
9. Click + Add account.

10. Find the admin_mssql_server object and click .

11. Click OK.
12. Click in the Listeners column.

13. Find the MSSQL_proxy object and click .

14. Click OK.
15. Click Save.

5.8.3 Establishing connection with a MS SQL database

1. Start SQL Server Management Studio.

2. Enter previously configured proxy address (10.0.150.150).
3. From the Authentication drop-down list, select SQL Server Authentication.
4. Enter user login and password.
5. Click Connect.

5.8. MS SQL 108

Fudo Enterprise 5.4 - System Documentation

5.8.4 Viewing user session

1. Open a web browser and go to the Fudo Enterprise administration page.

2. Enter user login and password to log in to Fudo Enterprise administration panel.
3. Select Management > Sessions.
4. Find John Smith’s session and click .

Note: Due to the fact that MS SQL Studio may create multiple connections for sending
internal queries, the sessions, connected via the TDS layer protocol using MS SQL Studio are

5.8. MS SQL 109

Fudo Enterprise 5.4 - System Documentation

getting aggregated by Fudo Enterprise.

Fudo Enterprise follows an algorithm that verifies if there is an already connected session on a
current node. If the algorithm identifies that the main connection objects (listener, account,
server address (server), user, and safe) of the new session are correlating with already
existing session, both sessions are aggregated into one.
If the main connection objects of the new session are not correlating with any of already existing
sessions, a new session is created.
This makes multiple queries to be grouped within one session. Every query has a unique tag
that allows filtering important connections with users’ queries in the Fudo Enterprise player.

Related topics:
• SQL Server Management Studio
• Quick start - MySQL connection configuration
• Requirements
• Data model

5.9 HTTP

This chapter contains an example of a basic Fudo Enterprise configuration, to monitor access to
Twitter over HTTPS. In this scenario, the user uses its individual login credentials to log in to
a monitored Twitter account. The connection will timeout after 15 minutes (900 seconds) and
the user will have to login again to continue browsing the server’s contents.

Warning: HTTP rendering is a CPU intensive process and may have negative impact on
system’s performance. A physical appliance is recommended for monitoring rendered HTTP

5.9. HTTP 110

Fudo Enterprise 5.4 - System Documentation

connections with the following limitations regarding the maximum number of concurrent
rendered HTTP sessions.

Model Maximum recommended number of concurrent HTTP sessions*

F100x 2
F300x 5
F500x 10

* The actual value depends on the Fudo Enterprise instance configuration.

5.9.1 Prerequisites

The following description assumes that the system has been already initiated. For more infor-
mation on the initiation procedure refer to the System initiation topic.

5.9.2 Configuration

5.9. HTTP 111

Fudo Enterprise 5.4 - System Documentation

Parameter Value
General
Name twitter
Description
Blocked
Protocol HTTP
TLS enabled
Legacy ciphers
HTTP host
HTTP timeout 900
HTTP Authentication Twitter
Bind address 10.0.236.70

Permissions
Granted users

Destination
Address twitter.com
Port 443
Server verification None

4. Click Save or Save and close.

5.9. HTTP 112

Fudo Enterprise 5.4 - System Documentation

Parameter Value
General
Name john_smith
Role user
Blocked
Account validity Indefinite

Settings Tab
Safes

Authentication section
Authentication failures
Enforce password complex-
ity
Add authentication Static password
method:
Password john

User Data Tab

Fudo domain
AD Domain
LDAP Base
Full name John Smith
Email [email protected]
Organization
Phone

Permissions Tab
Granted users

5.9. HTTP 113

Fudo Enterprise 5.4 - System Documentation

Parameter Value
General
Name twitter_listener
Blocked
Protocol HTTP
Render sessions

Permissions
Granted users

Connection
Mode proxy
Local address 10.0.150.151
Port 997
Use TLS
Legacy ciphers

TLS certificate Click to generate a certificate.

5.9. HTTP 114

Fudo Enterprise 5.4 - System Documentation

Parameter Value
General
Name twitter_admin
Blocked
Type regular
Session recording all
Notes

Data retention
Override global retention
settings
Delete session data default settings

Permissions
Granted users

Server
Server twitter

Credentials
Domain
Login YourTwitterAccountUsername
Replace secret with with password
Password ******
Repeat password ******
Password change policy Static, without restrictions

5.9. HTTP 115

Fudo Enterprise 5.4 - System Documentation

Parameter Value
General
Name twitter_safe
Blocked
Notifications
Login reason
Require approval
Policies
Note access No access
Users john_smith

Protocol functionality
RDP
SSH
VNC

4. Select Users tab.

5. Click + Add user.

6. Find John and click .

7. Click OK.
8. Select Accounts tab.
9. Click + Add account.

10. Find the twitter_admin object and click .

11. Click OK.
12. Click in the Listeners column.

13. Find the twitter_listener object and click .

14. Click OK.
15. Click Save.

5.9.3 Connecting to remote resource

1. Launch a web browser.

2. Go to the 10.0.236.70:997 web address.
3. Enter user login and password and press the [Enter] key or click the Login button.

Note: In case you are authenticating using two factors, input your static password along with
the dynamic factor (token value) in the password field as a single string of characters.

5.9. HTTP 116

Fudo Enterprise 5.4 - System Documentation

4. Continue browsing the website.

5.9.4 Viewing user session

1. Open a web browser and go to the Fudo Enterprise administration page.

2. Enter user login and password to log in to Fudo Enterprise administration panel.
3. Select Management > Sessions.
4. Find John’s session and click the playback icon.

5.9. HTTP 117

Fudo Enterprise 5.4 - System Documentation

Related topics:
• Requirements
• HTTP protocol
• Data model
• Quick start - SSH connection configuration
• Quick start - RDP connection configuration
• Quick start - MySQL connection configuration
• Quick start - Telnet connection configuration

5.10 VNC

This chapter contains an example of a basic Fudo Enterprise configuration, to monitor VNC
access to a remote server. In this scenario, the user connects to the remote server over the VNC
protocol and logs in to the Fudo Enterprise using an individual login and password combination
(john_smith/john). When establishing the connection with the remote server, Fudo Enterprise
substitutes the password with the previously defined value: password (authentication modes are
described in the User authentication modes section).

Note: Due to specifics of VNC protocol, which authenticates the user using password only,
the substitution login string entered in account properties is ignored when establishing a VNC
connection.

5.10.1 Prerequisites

Description below assumes that the system has been already initiated. The initiation procedure
is described in the System initiation topic.

5.10. VNC 118

Fudo Enterprise 5.4 - System Documentation

5.10.2 Configuration

Parameter Value
General
Name vnc_server
Description
Blocked
Protocol VNC
Bind address Any

Permissions
Granted users

Destination
Address 10.0.40.230
Mask 32
Port 5900

4. Click Save or Save and close.

5.10. VNC 119

Fudo Enterprise 5.4 - System Documentation

Parameter Value
General
Name john_smith
Role user
Blocked
Account validity Indefinite

Settings Tab
Safes

Authentication section
Authentication failures
Enforce password complex-
ity
Add authentication Static password
method:
Password john

User Data Tab

Fudo domain
AD Domain
LDAP Base
Full name John Smith
Email [email protected]
Organization
Phone

Permissions Tab
Granted users

5.10. VNC 120

Fudo Enterprise 5.4 - System Documentation

Parameter Value
General
Name vnc_listener
Blocked
Protocol VNC
Announcement

Permissions
Granted users

Connection
Mode proxy
Local address 10.0.150.151
Port 5900
External address
External port

5.10. VNC 121

Fudo Enterprise 5.4 - System Documentation

Parameter Value
General
Name admin_vnc_server
Account type regular
Session recording all
OCR sessions
OCR language English
Notes

Data retention
Override global retention
settings
Delete session data after 61 days

Permissions
Granted users

Server
Server vnc_server

Credentials
Domain
Login
Replace secret with password
Password root
Repeat password root
Password change policy Static, without restrictions

5.10. VNC 122

Fudo Enterprise 5.4 - System Documentation

Parameter Value
General
Name vnc_safe
Blocked
Notifications
Login reason
Require approval
Policies
Note access

Protocol functionality
RDP
SSH
VNC

4. Select Users tab.

5. Click + Add user.

6. Find John and click .

7. Click OK.
8. Select Accounts tab.
9. Click + Add account.

10. Find the admin_vnc_server object and click .

11. Click OK.
12. Click in the Listeners column.

13. Find the vnc_listener object and click .

14. Click OK.
15. Click Save.

5.10.3 Establishing connection

1. Launch TightVNC Viewer, enter 10.0.150.151 in the server address field and press the
enter key.

5.10. VNC 123

Fudo Enterprise 5.4 - System Documentation

2. Enter username and password and press the enter key.

5.10.4 Viewing user session

1. Open a web browser and go to the 10.0.150.151 web address.

2. Enter the login and password to login to the Fudo Enterprise administration panel.
3. Select Management > Sessions.
4. Find John Smith’s session and click the playback icon.
Related topics:
• TightVNC Viewer
• Requirements
• Data model
• Quick start - RDP connection configuration
• Quick start - HTTP connection configuration
• Quick start - MySQL connection configuration
• Quick start - Telnet connection configuration

5.11 User authentication against external LDAP server

This chapter contains an example of configuring user authentication against external LDAP
service.

5.11. User authentication against external LDAP server 124

Fudo Enterprise 5.4 - System Documentation

5.11.1 Prerequisites

The following description assumes that the admin user’s authentication data is stored on LDAP
server accessible through 10.0.0.2 IP address and default LDAP service port number - 389.
User definition is stored under cn=admin,dc=example,dc=com.

5.11.2 Configuration

Adding external authentication source

1. Select Settings > External authentication.
2. Click + Add external authentication source.
3. Provide essential configuration parameters:

Parameter Value
Type LDAP
Host 10.0.0.2
Port 389
Bind to 10.0.0.10
Bind DN dc=example,dc=com

Note: Alternatively, define the path to where users definitions

are stored cn=##username##,dc=example,dc=com and leave the
LDAP base parameter in the user configuration empty

Encrypted connection
Delete

5.11. User authentication against external LDAP server 125

Fudo Enterprise 5.4 - System Documentation

4. Click Save.
Adding user authentication method
1. Select Management > Users.
2. Find and click the admin user definition.
3. On the User Data Tab, in the LDAP base field specify the location of admin object in the
directory structure cn=admin,dc=example,dc=com.

Note: Leave the LDAP base field empty if you specified where users are stored in the LDAP
server configuration (cn=##username##,dc=example,dc=com).

4. Select External authentication type of authentication method from the Add authentication
method drop-down list.
5. Choose method “LDAP 10.0.0.2:389 bind dn:dc=example,dc=com” and click Save.
6. Click Save to save user definition.
Related topics:
• Authentication
• Creating a user
• Quick start - SSH connections monitoring

5.11. User authentication against external LDAP server 126

CHAPTER 6

Users

User defines a subject entitled to connect to servers within monitored IT infrastructure. Detailed
object definition (i.e. unique login and domain combination, full name, email address etc.)
enables precise accountability of user actions when login and password are substituted with a
shared account login credentials.

Note: Fudo Enterprise allows importing user definitions from services such as Active Directory
or other LDAP-compliant services. For more information on users synchronization service, refer
to the Users synchronization topic.

127
Fudo Enterprise 5.4 - System Documentation

6.1 Creating a user

Warning: When creating a User object for MySQL connections, please note that Fudo
Enterprise does not support the MySQL server caching_sha2_password plugin. The sup-
ported MySQL plugins are mysql_native_password and mysql_old_password. To ensure
compatibility, server plugin should be set to mysql_native_password in /etc/mysql/mysql.
conf.d/mysqld.cnf file, and a User object should be created with mysql_native_password
plugin.

To create a user definition, follow the instructions below.

1. Click + icon next to the Users tab of the Management sub-section, or

2. Select Management > Users and then click + Add user.

3. Enter user name.

Note:
• While there can be more than one user with the same Name, the Name and domain
combination must be unique.
• The Name field is not case sensitive.

6.1. Creating a user 128

Fudo Enterprise 5.4 - System Documentation

Warning: It’s not allowed to include % and # characters within the usernames.

4. From the Role drop-down list select user’s role, which will determine the access rights.

Note: Access rights restrictions also apply to API interface access.

Role Access rights

user
• Connecting to servers through assigned safes.
• Loggin to the User Portal (requires adding the user to the portal
safe).
• Fetching servers’ passwords (requires additional access right).

service
• Accessing SNMP information.

operator
• Logging in to the administration panel.
• Browsing objects: servers, users, safes, accounts, to which the user
has been assigned sufficient access permisions.
• Blocking/unblocking objects: servers, users, safes, listeners, accounts,
to which the user has been assigned sufficient access permisions.
• Generating reports on demand and subscribing to periodic reports.
• Managing email notifications.
• Viewing live and archived sessions involving objects (user, safe, ac-
count, server), to which the user has been assigned sufficient access
permissions.
• Converting sessions and downloading converted content involving ob-
jects (user, safe, account, server), to which the user has been assigned
sufficient access permissions.
• Available dashboard widgets: concurrent sessions, suspicious sessions,
account alerts, active users, cluster status, concurrent sessions chart.

Continued on next page

6.1. Creating a user 129

Fudo Enterprise 5.4 - System Documentation

Table 1 – continued from previous page

Role Access rights
admin
• Logging in to the administration panel.
• Managing objects: servers, users, safes, listeners, accounts, to which
the user has been assigned sufficient access permisions.
• Blocking/unblocking objects: servers, users, safes, listeners, accounts,
to which the user has been assigned sufficient access permisions.
• Generating reports on demand and subscribing to periodic reports.
• Activating/deactivating email notifications.
• Viewing live and archived sessions involving objects (user, safe, ac-
count, server), to which the user has been assigned management priv-
ileges.
• Converting sessions and downloading converted content involving ob-
jects (user, safe, account, server), to which the user has been assigned
sufficient access permissions.
• Managing policies.
• Available dashboard widgets: concurrent sessions, suspicious sessions,
account alerts, active users, cluster status, concurrent sessions chart.

Role Access rights

superadmin
• Full access rights to objects management.
• Full access rights to system configuration options.
• Available dashboard widgets: concurrent sessions, suspicious sessions,
account alerts, active users, cluster status, concurrent sessions chart,
license, system events log.

5. Select the Blocked option to prevent user from accessing servers and resources monitored
by Fudo Enterprise.
6. Define account’s validity period.
7. In the Settings tab, in the Safes field, select desired safes to grant access to.

8. In the User Data tab, in the Domain field, enter Fudo domain.

6.1. Creating a user 130

Fudo Enterprise 5.4 - System Documentation

Note:
• Fudo domain is used to authenticate the user against the Fudo Enterprise.
• With the Fudo domain specified, user will have to include it when logging into the admin-
istration panel and Access Gateway or when establishing monitored connections.
• Additionally to the Fudo domain it is possible to set up the Default domain in the System
tab. If Default domain is specified, user can either include the Fudo domain in Username
or skip it during login. Please refer to the Default domain section to learn more about the
behavior of this option.

9. Provide user’s Active Directory domain.

Note: While the Fudo domain is used to authenticate the user against the Fudo Enterprise,
the AD domain is taken into account when authenticating the user in front of the server with
which they establish a session. This option is related to the Fudo Domain settings in the user
specification.

10. Enter LDAP service BaseDN parameter.

Note:
• LDAP base is necessary for authenticating the user using the Active Directory service.
• E.g. for example.com domain, the LDAP base parameter value should be dc=example,
dc=com.

11. In the User info field enter:

• user’s full name,
• user’s email address,

6.1. Creating a user 131

Fudo Enterprise 5.4 - System Documentation

• user’s organizational unit,

• user’s phone number.
12. In the Permissions tab select Manage button to choose users allowed to manage this User
object and in case of operators/administrators, assign management privileges to other
objects, like servers, pools, accounts, safes, and listeners.

Note: Granting a user access to certain session requires assigning management priviliges to:
server, account, user and safe objects that were used in the given connection.

13. If created user is going to use the Application to Application Password Manager function-
ality, go to the More tab, and in the AAPM field, add IP address used by the User Portal
(Access Gateway) and the AAPM to communicate with Fudo Enterprise.
14. Optionally, to configure the Fudo Officer app, go to Fudo Officer field and click Add device
button. Download Fudo Officer application in App Store and scan showed QR code to
finish mobile device binding. For more information please refer to the Fudo Officer 1.0
section.

Note: To add mobile device Call Home feature has to be enabled. Please navigate to Settings
> System, and enable it on the General tab, under the Maintenance and supervision section.

15. In the SNMP field, click Enabled option to use SNMP, and provide authentication and
encryption methods from the available drop-down lists.

Note: SNMP configuration is available only for user with the Service role.

16. Go back to the Settings tab, and in the Authentication section select the Authentication
failures option to block the user automatically after exceeding the number of failed login
attempts.

Note: The authentication failures counter is enabled only if the Authenticaiton failures option
is set in Settings > System in the User authentication and sessions section.

6.1. Creating a user 132

Fudo Enterprise 5.4 - System Documentation

17. Select the Enforce password complexity option to force passwords to conform to specified
settings.

Note: Password complexity is defined in Settings > System in the Users authentication and
sessions section.

18. Specify authentication methods.

Note: To enable configuring authentication methods, please save created user first.

19. To add authentication method, select desired type from the Add authentication method
drop-down list. Below you will find description of available authentication methods spec-
ification procedures.

Certificate
• Provide Subject that complies with the RFC 2253 or RFC 4514 requirements.

6.1. Creating a user 133

Fudo Enterprise 5.4 - System Documentation

Note: Additionally, the CA certificate is required to be uploaded in the Settings > System
tab. For more information about authentication with certificate, refer to the Certificate-based
authentication scheme topic.

Static password
• Type password in the Password field.
• Select Required password change on next login to have the user change the password on
next login attempt.

Note: If you select the Required password change on next login option, the user will not be
able to access servers using native protocols clients. The user will have to change the password
using the User Portal (Access Gateway).

External authentication
• Select external authentication source from the Choose method drop-down list.

Note: Refer to Authentication topic for more information on external authentication sources.

SSH key
• Provide public SSH key used for verifying user’s identity in the Public key field.
SMS
• In the First factor field choose Static password or External authentication (AD or LDAP).
• Provide a phone number in the Phone input field.

Note: For more information about SMS authentication configuration, refer to the SMS au-
thentication definition topic.

DUO
• In the First factor field choose Static password or External authentication (AD or LDAP).
• In the Second factor field:
– Provide DUO User.
– Provide DUO User Id.

Note: For more information about DUO authentication configuration, refer to the DUO
authentication definition topic.

OATH
• In the First factor field choose Static password or External authentication (AD or LDAP).
• In the Second factor field:

6.1. Creating a user 134

Fudo Enterprise 5.4 - System Documentation

– Provide Token type.

– Provide secret that will be used by Google Authenticator by typing it in the Secret
field, by generating random secret by pressing Generate button, or by generating
QRCode by pressing QRCode button.
– Specify Token length.
– Choose the timestamp value from the Timestamp drop-down list.
– Choose Initialized option if needed.
For more information refer to the Two-factor OATH authentication with Google Authenticator
page.
API key
• Provide or generate API key.
• Copy generated API key to use it in other systems that require authentication with this
Fudo user.

Note: The API Key cannot be retrieved after saving this authentication method.

20. To define more authentication methods select new type from Add authentication method
drop-down list.

Note:
• When processing user authentication requests, Fudo Enterprise verifies login credentials
against defined authentication methods in order in which those methods have been defined.
• After adding several authentication methods you have the possibility to change their order
by using drag-and-drop functionality.

21. Click Save or Save and close.

Related topics:
• Authentication failures counter
• Users synchronization
• Data model
• Default domain
• System initiation
• Servers
• Accounts

6.1. Creating a user 135

Fudo Enterprise 5.4 - System Documentation

• Approving pending user requests

• Declining pending requests

6.2 Copying user grants

Copy grants feature allows you to copy permissions from a user with the Admin or Operator role
to the user currently being edited. The copying process involves taking the grants from selected
user and applying all the differences to user being edited.

Note: To copy grants from already created and configured user, you have to save your user
definition first.

To copy grants from other user definition, proceed as follows:

1. While editing or creating new user definition, select three dots symbol next to the Cancel
button.
2. Select Copy grants from. . . button.

3. From the Copy from drop-down list select the user you want to copy grants from.
4. Click Save.
Tematy pokrewne:
• Users synchronization
• Data model
• System initiation

6.3 Editing a user

1. Select Management > Users.

2. Define filters to limit the number of objects displayed on the list.

6.2. Copying user grants 136

Fudo Enterprise 5.4 - System Documentation

3. Find and click desired user’s name to access its configuration parameters.

Note:
• ID is a read-only, unique object identifier and it is assigned by Fudo Enterprise when object
is created.

4. Modify configuration values as needed.

5. Click Save or Save and close.
Related topics:
• Users synchronization
• Data model
• System initiation
• Servers
• Accounts

6.3. Editing a user 137

Fudo Enterprise 5.4 - System Documentation

6.4 Blocking a user

Warning: Blocking a user will terminate its current connections.

1. Select Management > Users.

2. Define filters to limit the number of objects displayed on the list, or use a search bar.

3. Select the user you want to block and click Block.

4. Provide mandatory blocking reason and click Block.

Note: To view the blocking reason, place the cursor over the red cross icon on the users list.

Users can also be blocked by accessing the user object configuration form. To do this:
• Edit user definition.
• Select the Blocked option.
• Provide mandatory blocking reason and klick ‘Set reason’.

6.4. Blocking a user 138

Fudo Enterprise 5.4 - System Documentation

• Click Save or Save and close.

Related topics:
• Users synchronization
• Data model
• System initiation
• Servers
• Accounts

6.5 Unblocking a user

1. Select Management > Users.

2. Define filters to limit the number of objects displayed on the list.
3. Select the user you want to unblock and click Unblock.

4. Click Unblock to confirm.

Users can also be unblocked by accessing the user object configuration form. To do this:
• Edit user definition.
• Deselect the Blocked option.

6.5. Unblocking a user 139

Fudo Enterprise 5.4 - System Documentation

• Click Save or Save and close.

Related topics:
• Users synchronization
• Data model
• System initiation
• Servers
• Accounts

6.6 Deleting a user

Note: Deleting a user definition does not result in the removal of associated registered sessions.
Sessions of deleted users are marked with a strikethrough username.

Warning: Deleting a user definition will terminate its current connections.

1. Select Management > Users.

2. Define filters to limit the number of objects displayed on the list, or use a search bar.

3. Click Delete selected.

6.6. Deleting a user 140

Fudo Enterprise 5.4 - System Documentation

4. Confirm deleting selected objects.

Related topics:
• Users synchronization
• Data model
• System initiation
• Servers
• Accounts

6.7 Authentication failures counter

Fudo can keep track of failed login attempts and automatically block users accounts if the counter
reaches a specified value.
1. Select Settings > System.
2. In the Authentication and sessions section, select Authentication failures option.
3. Enter the number of failed login attempts after which the user account will be blocked.

6.7. Authentication failures counter 141

Fudo Enterprise 5.4 - System Documentation

4. Click Save.
5. Select Management > Users.
6. Find and click a user that you want to block automatically after a number of failed login
attempts.
7. In the Authentication section, select Authentication failures.
8. Click Save.

Note: Click Reset button to reset the counter.

Related topics:
• User authentication methods and modes

6.8 Roles

6.8. Roles 142

Fudo Enterprise 5.4 - System Documentation

Role Access rights

service
• Accessing SNMP information.

admin
• Logging in to the administration panel.
• Managing objects: servers, users, safes, listeners, accounts, to which
the user has been assigned sufficient access permisions.
• Blocking/unblocking objects: servers, users, safes, listeners, accounts,
to which the user has been assigned sufficient access permisions.
• Generating reports on demand and subscribing to periodic reports.
• Activating/deactivating email notifications.
• Viewing live and archived sessions involving objects (user, safe, ac-
count, server), to which the user has been assigned management priv-
ileges.
• Converting sessions and downloading converted content involving ob-
jects (user, safe, account, server), to which the user has been assigned
sufficient access permissions.
• Managing policies.
• Available dashboard widgets: concurrent sessions, suspicious sessions,
account alerts, active users, cluster status, concurrent sessions chart.

6.8. Roles 143

Fudo Enterprise 5.4 - System Documentation

Role Access rights

Related topics:
• Users synchronization
• Data model
• System initiation
• Servers
• Accounts

6.9 Users synchronization

User is one of the fundamental data model entity. Only defined users are allowed to connect
to monitored servers. Fudo Enterprise features automatic users synchronization service which
enables importing users information from Active Directory servers or other servers compatible
with the LDAP protocol.

Warning: It is required that LDAP server supports a memberOf parameter - an attribute

that specifies the distinguished names of the groups to which this object belongs.

New users definitions and changes in existing objects are imported from the directory service
periodically every 5 minutes. Deleting a user object from an AD or an LDAP server requires
performing the full synchronization to reflect those changes on Fudo Enterprise. The full syn-
chronization process is triggered automatically once a day at 00:00, or can be triggered manually.

Note:
• Fudo Enterprise supports nested LDAP groups.
• Also, Fudo Enterprise allows synchronizing the user’s data with the LDAP service source.
The Synchronize with LDAP option is responsible for this process. When this option
is checked for the given user, an administrator can’t edit the user’s data manually but
can add or edit their authentication methods. If the Synchronize with LDAP option is
unchecked, the user is no longer synchronized with LDAP source, and can be edited by an
administrator. The administrator can still check the option and reinstate synchronization
with LDAP, but any change made manually will disappear with the next synchronisation
attempt. Only the added authentication methods won’t change.

6.9. Users synchronization 144

Fudo Enterprise 5.4 - System Documentation

Configuring users synchronization service

To enable users synchronization feature, proceed as follows.
1. Select Settings > LDAP synchronization.
2. Select Enabled.
3. In case of cluster configuration, from the Active cluster node drop-down list, select which
node will be performing objects synchronization with LDAP service.
4. Click + Add LDAP domain.
5. Provide domain’s name.
6. Define priority, determining the order in which domains are queried.

Note: Lower number translates to higher priority.

7. In the Directory service section, select data source type from the Server type drop-down
list.
8. Provide the user authentication information to access user data on given server.
9. Enter domain name, to which imported users are assigned to.
10. Provide base DN parameter for users’ objects (eg. DC=devel,DC=whl).
11. Provide base DN for parameter groups’ objects (eg. DC=tech,DC=whl).

6.9. Users synchronization 145

Fudo Enterprise 5.4 - System Documentation

Note: DN parameter should not contain any white space characters.

12. Define filter (or leave the default value) for user records, which are subject to synchroniza-
tion.
13. Define filter (or leave the default value) for user groups, which are subject to synchroniza-
tion.

14. Click in the LDAP controllers section to define directory service server.
15. Provide IP address and port number.

Note: In case of TLS-encrypted connection, define LDAP server’s address using its full domain
name (e.g. tech.ldap.com) instead of an IP address, to ensure the certificate is verified properly.
Make sure that the given server name is included in certificate’s Common Name field.

16. Select the Page LDAP results option to enable paging.

17. Select the Encrypted connection option to enable encryption and upload the CA certificate.

Note: Click to add more directory servers.

18. Define user information mapping.

Note: Fields mapping enables importing users information from nonstandard attributes, e.g.

6.9. Users synchronization 146

Fudo Enterprise 5.4 - System Documentation

telephone number defined in an attribute named mobile instead of the standard telephoneNum-
ber.

19. Select Block automatically to automatically block local users’ accounts blocked in the
directory.

20. Click in the Groups mapping section to define user groups to safes assignment.
21. Type in user group and select desired entry.

22. Assign safes to user groups.

23. Assign external authentication sources to user groups.

Note: External authentication sources are assigned to users in the exact sequence they are
defined in groups mapping. Thus if the same user is present in more than one group, Fudo
Enterprise will be authenticating him against external authentication sources starting from those
defined in the first group mapping defined.
For example:
A user is assigned to groups A and B. Group B is mapped to Safe RDP and has CERB and Radius
authentication sources assigned. Group A is second in order and it is mapped to Safe SSH and
has AD authentication source assigned.
Authenticating a user, Fudo Enterprise will send requests to external authentication sources in
the following order:
1. CERB.
2. Radius.
3. AD.

6.9. Users synchronization 147

Fudo Enterprise 5.4 - System Documentation

24. In the User authentication methods section, select the Add X.509 cerificate option to
retrieve user’s certificate and assign it as one of user’s authentication methods.
25. Select the Add SSH key extracted from X.509 certificate option to retrieve user SSH key
from certificate and assign it as one of user’s authentication methods.
26. Click Save.

Note:
• The Force full synchronization option enables processing changes in directory structures
which cannot be processed during periodical synchronization, eg. deleting a defined group
or deleting a user.
• The full synchronization process is triggered automatically once a day at 00:00, or can be
triggered manually.
• Use diagnostics tools to troubleshoot problems with LDAP configuration.
• Fudo Enterprise supports nested LDAP groups.

Related topics:
• User authentication against external LDAP server
• Users management
• Diagnostics

6.9. Users synchronization 148

CHAPTER 7

Servers

Server is a definition of the IT infrastructure resource, which can be accessed over one of the
specified protocols.
• Fudo Enterprise allows configuring a server with one unique address and a server with a
group of addresses to be connected within a specified network.
• Once the server definition is configured and saved, the Fudo Enterprise allows grouping
multiple servers within one Server Pool so all the added servers are managed as one server
within other objects.

7.1 Creating a server

7.1.1 Creating an HTTP server

Note:
• A server object can be linked to only one anonymous account.
• A server object can be linked to only one forward account.

Model Maximum recommended number of concurrent HTTP sessions*

F100x 2
F300x 5
F500x 10

149
Fudo Enterprise 5.4 - System Documentation

* The actual value depends on the Fudo Enterprise instance configuration.

1. Click + icon in the main menu next to the Servers tab, or

Select Management > Servers and then click + Add server.
2. Enter server’s unique name.
3. Select Blocked option to disable access to server after it’s created.
4. Optionally, click the Description checkbox and provide a text that will help identifying
this server object.
5. In the Permissions section, add users allowed to manage this object.

6. In the Settings section on the list of available protocols select HTTP .

Warning: After server’s definition is saved, protocol’s field is uneditable.

7. Select the TLS enabled option to connect to monitored server over TLS.
• Select Legacy ciphers option to allow negotiating older encryption algorithms (DSA(1024),
RSA(1024)) when establishing connections.
8. In the HTTP host field provide the HTTP host header value.

Note: The HTTP host header determines the requested content in case there are many web
sites hosted on the specified server.

9. Enter value of the HTTP timeout parameter, determining the time period of inactivity
(expressed in seconds), after which the user will have to authenticate again.
10. Click the HTTP Authentication option to enable additional verification process and select
one of the available platforms. If None is selected, provide custom login page details:
• Login page URL,
• Username and Password,

7.1. Creating a server 150

Fudo Enterprise 5.4 - System Documentation

• optionally, check the Press the enter key prior to password option.

Note: HTTP authentication is active only when the Render sessions option is enabled in the
HTTP listener settings. To enable Render sessions option, please refer to the Setting up the
HTTP listener topic.

11. From the Bind address drop-down list, select Fudo Enterprise IP address used for commu-
nicating with this server.

Note:
• The Bind address drop-down list elements are IP address defined in the Network con-
figuration menu (Network interfaces configuration) or labeled IP addresses (Labeled IP
addresses).
• In case of cluster configuration, select a labeled IP address from the Bind address drop-
down list and make sure that other nodes have IP addresses assigned to this label. For
more information refer to the Labeled IP addresses topic.

12. In the Destination section select Host, IPv4 or IPv6. Enter server’s IP address.

Note: Depending on selected option, default values for the Mask and Port fields are filled out
automatically. This way the Fudo Enterprise system detects server as one with unique address.
In order to set up address for entire subnet, provide a dedicated value for the Address and the
Mask fields.

• If the TLS enabled was checked, in the Server verification section select one of the following
options:Server certificate or CA certificate and provide respective certificate data.
Select None to disable server verification.

13. Click Save or Save and close.

7.1. Creating a server 151

Fudo Enterprise 5.4 - System Documentation

• Pools
• Protocols - HTTP
• Data model
• Accounts
• Listeners
• Safes

7.1.2 Creating a Modbus server

Note:
• A server object can be linked to only one anonymous account.
• A server object can be linked to only one forward account.

1. Click + icon in the main menu next to the Servers tab, or

Warning: After server’s definition is saved, protocol’s field is uneditable.

7. From the Bind address drop-down list, select Fudo Enterprise IP address used for commu-
nicating with this server.

8. In the Destination section select Host, IPv4 or IPv6. Enter server’s IP address.

Note: Depending on selected option, default values for the Mask and Port fields are filled out
automatically. This way the Fudo Enterprise system detects server as one with unique address.

7.1. Creating a server 152

Fudo Enterprise 5.4 - System Documentation

In order to set up address for entire subnet, provide a dedicated value for the Address and the
Mask fields.

9. Click Save or Save and close.

Related topics:
• Pools
• Data model
• System initiation
• Users
• Listeners
• Safes
• Accounts

7.1.3 Creating a MS SQL server

Note:
• A server object can be linked to only one anonymous account.
• A server object can be linked to only one forward account.

1. Click + icon in the main menu next to the Servers tab, or

7.1. Creating a server 153

Fudo Enterprise 5.4 - System Documentation

5. In the Permissions section, add users allowed to manage this object.

6. In the Settings section on the list of available protocols select MSSQL(TDS) .

Warning: After server’s definition is saved, protocol’s field is uneditable.

7. From the Bind address drop-down list, select Fudo Enterprise IP address used for commu-
nicating with this server.

8. In the Destination section select Host, IPv4 or IPv6. Enter server’s IP address.

9. Click Save or Save and close.

Related topics:
• Pools
• Data model
• System initiation

7.1. Creating a server 154

Fudo Enterprise 5.4 - System Documentation

• Users
• Listeners
• Safes
• Accounts

7.1.4 Creating a MySQL server

Warning: Please note that the MySQL server caching_sha2_password plugin isn’t
supported by Fudo Enterprise. Supportable MySQL plugins by Fudo Enterprise are
mysql_native_password and mysql_old_password. Server plugin should be set to
mysql_native_password in /etc/mysql/mysql.conf.d/mysqld.cnf and a User object is
created with mysql_native_password plugin.

Note:
• A server object can be linked to only one anonymous account.
• A server object can be linked to only one forward account.

1. Click + icon in the main menu next to the Servers tab, or

Warning: After server’s definition is saved, protocol’s field is uneditable.

7. From the Bind address drop-down list, select Fudo Enterprise IP address used for commu-
nicating with this server.

7.1. Creating a server 155

Fudo Enterprise 5.4 - System Documentation

8. In the Destination section select Host, IPv4 or IPv6. Enter server’s IP address.

9. Click Save or Save and close.

Related topics:
• Pools
• Data model
• System initiation
• Users
• Listeners
• Safes
• Accounts

7.1.5 Creating an RDP server

Note:
• A server object can be linked to only one anonymous account.
• A server object can be linked to only one forward account.
• Fudo Enterprise allows authenticating against RDP server with Kerberos.

1. Click + icon in the main menu next to the Servers tab, or

Select Management > Servers and then click + Add server.

7.1. Creating a server 156

Fudo Enterprise 5.4 - System Documentation

2. Enter server’s unique name.

3. Select Blocked option to disable access to server after it’s created.
4. Optionally, click the Description checkbox and provide a text that will help identifying
this server object.
5. In the Permissions section, add users allowed to manage this object.

6. In the Settings section on the list of available protocols select RDP .

Warning: After server’s definition is saved, protocol’s field is uneditable.

7. Select the TLS enabled option to connect to monitored server over TLS.
• Check the NLA enabled option for additional security.

Note: Security mode must match the security mode setting in the RDP listener
configuration. The NLA enabled option within a server corresponds to the Enhanced
RDP Security (TLS) option within the listener.

• Select Legacy ciphers option to allow negotiating older encryption algorithms

(DSA(1024), RSA(1024)) when establishing connections.
8. Check the Inform about existing connection option to have the users informed
that other users are connected to the server, they are trying to connect to.
9. From the Bind address drop-down list, select Fudo Enterprise IP address used for commu-
nicating with this server.

Note:
• The Bind address drop-down list elements are IP address defined in the Network con-
figuration menu (Network interfaces configuration) or labeled IP addresses (Labeled IP
addresses).

7.1. Creating a server 157

Fudo Enterprise 5.4 - System Documentation

• In case of cluster configuration, select a labeled IP address from the Bind address drop-
down list and make sure that other nodes have IP addresses assigned to this label. For
more information refer to the Labeled IP addresses topic.

10. In the Destination section select Host, IPv4 or IPv6. Enter server’s IP address.

• If the TLS enabled has been checked, in the Server verification section select one of the
following options:Server certificate or CA certificate and provide respective certifi-
cate data. Select None to disable server verification. To learn more about the RDP server
certificate management, please follow the Managing RPD Server certificates in Windows
Server section.
• Otherwise, provide server key.

12. Click Save or Save and close.

Related topics:
• Pools
• Data model
• System initiation
• Users
• Listeners
• Safes
• Accounts

7.1. Creating a server 158

Fudo Enterprise 5.4 - System Documentation

7.1.6 Creating an SSH server

Note:
• A server object can be linked to only one anonymous account.
• A server object can be linked to only one forward account.

1. Click + icon in the main menu next to the Servers tab, or

6. In the Settings section on the list of available protocols select SSH .

Warning: After server’s definition is saved, protocol’s field is uneditable.

7. Select Legacy ciphers option to allow negotiating older encryption algorithms (DSA(1024),
RSA(1024)) when establishing connections.
12. From the Bind address drop-down list, select Fudo Enterprise IP address used for commu-
nicating with this server.

Note:
• The Bind address drop-down list elements are IP address defined in the Network con-
figuration menu (Network interfaces configuration) or labeled IP addresses (Labeled IP
addresses).

7.1. Creating a server 159

Fudo Enterprise 5.4 - System Documentation

13. In the Destination section select Host, IPv4 or IPv6. Enter server’s IP address.

14. In the Server verification section select Server public key and provide respective certifi-
cate data. Select None to disable server verification.

15. Click Save or Save and close.

Related topics:
• Pools
• Data model
• System initiation
• Users
• Listeners
• Safes
• Accounts

7.1. Creating a server 160

Fudo Enterprise 5.4 - System Documentation

7.1.7 Creating a Telnet server

Note:
• A server object can be linked to only one anonymous account.
• A server object can be linked to only one forward account.
• In case of Telnet connections over forward and regular accounts, users are asked to provide
their login credentials twice. First time to authenticate against Fudo Enterprise and then
to connect to the target host.

1. Click + icon in the main menu next to the Servers tab, or

6. In the Settings section on the list of available protocols select Telnet .

Warning: After server’s definition is saved, protocol’s field is uneditable.

7. Select the TLS enabled option to connect to monitored server over TLS.
• Select Legacy ciphers option to allow negotiating older encryption algorithms (DSA(1024),
RSA(1024)) when establishing connections.
8. From the Bind address drop-down list, select Fudo Enterprise IP address used for commu-
nicating with this server.

Note:

7.1. Creating a server 161

Fudo Enterprise 5.4 - System Documentation

• The Bind address drop-down list elements are IP address defined in the Network con-
figuration menu (Network interfaces configuration) or labeled IP addresses (Labeled IP
addresses).
• In case of cluster configuration, select a labeled IP address from the Bind address drop-
down list and make sure that other nodes have IP addresses assigned to this label. For
more information refer to the Labeled IP addresses topic.

9. In the Destination section select Host, IPv4 or IPv6. Enter server’s IP address.

10. Click Save or Save and close.

Related topics:
• Pools
• Data model
• System initiation
• Users
• Listeners
• Safes
• Accounts

7.1. Creating a server 162

Fudo Enterprise 5.4 - System Documentation

7.1.8 Creating a Telnet 3270 server

1. Click + icon in the main menu next to the Servers tab, or

6. In the Settings section on the list of available protocols select Telnet 3270 .

Warning: After server’s definition is saved, protocol’s field is uneditable.

7. Select the TLS enabled option to connect to monitored server over TLS.
• Select Legacy ciphers option to allow negotiating older encryption algorithms (DSA(1024),
RSA(1024)) when establishing connections.
8. From the Bind address drop-down list, select Fudo Enterprise IP address used for commu-
nicating with this server.

Note:

7.1. Creating a server 163

Fudo Enterprise 5.4 - System Documentation

9. In the Destination section select Host, IPv4 or IPv6. Enter server’s IP address.

10. Click Save or Save and close.

Related topics:
• Pools
• Data model
• System initiation
• Users
• Listeners
• Safes
• Accounts

7.1. Creating a server 164

Fudo Enterprise 5.4 - System Documentation

7.1.9 Creating a Telnet 5250 server

1. Click + icon in the main menu next to the Servers tab, or

6. In the Settings section on the list of available protocols select Telnet 5250 .

Warning: After server’s definition is saved, protocol’s field is uneditable.

7. Select the TLS enabled option to connect to monitored server over TLS.
• Select Legacy ciphers option to allow negotiating older encryption algorithms (DSA(1024),
RSA(1024)) when establishing connections.
8. From the Bind address drop-down list, select Fudo Enterprise IP address used for commu-
nicating with this server.

Note:

7.1. Creating a server 165

Fudo Enterprise 5.4 - System Documentation

9. In the Destination section select Host, IPv4 or IPv6. Enter server’s IP address.

10. Click Save or Save and close.

Related topics:
• Pools
• Data model
• System initiation
• Users
• Listeners
• Safes
• Accounts

7.1. Creating a server 166

Fudo Enterprise 5.4 - System Documentation

7.1.10 Creating a VNC server

Note:
• A server object can be linked to only one anonymous account.
• A server object can be linked to only one forward account.

1. Click + icon in the main menu next to the Servers tab, or

Warning: After server’s definition is saved, protocol’s field is uneditable.

7. From the Bind address drop-down list, select Fudo Enterprise IP address used for commu-
nicating with this server.

8. In the Destination section select Host, IPv4 or IPv6. Enter server’s IP address.

7.1. Creating a server 167

Fudo Enterprise 5.4 - System Documentation

9. Click Save or Save and close.

Related topics:
• Pools
• Data model
• System initiation
• Users
• Listeners
• Safes
• Accounts

7.1.11 Creating a TCP server

1. Click + icon in the main menu next to the Servers tab, or

Warning: After server’s definition is saved, protocol’s field is uneditable.

7. From the Bind address drop-down list, select Fudo Enterprise IP address used for commu-
nicating with this server.

Note:

7.1. Creating a server 168

Fudo Enterprise 5.4 - System Documentation

8. In the Destination section select Host, IPv4 or IPv6. Enter server’s IP address.

9. Click Save or Save and close.

Related topics:
• Pools
• TCP
• Data model
• Setting up the TCP listener

7.1. Creating a server 169

Fudo Enterprise 5.4 - System Documentation

7.2 Importing a server list from CSV file

1. Select Management > Servers and then click Import from file.

2. Drag and drop file into the modal window upload area or click Browse for file to upload
it from local directory.
3. Displayed modal window presents a list of servers that will be added to Fudo Enterprise
configuration.
4. Click Send data to upload all listed servers to Fudo Enterprise configuration or Clear Data
to terminate uploading procedure.

Note: If any server specified in the CSV file have incorrect values, it will be skipped during
the upload process. For example, a server with the same name as an existing server in the
configuration will not be uploaded.

CSV file format

The CSV file must be constructed according to the following rules:
• The first row is a header row containing names corresponding to the API fields names
(refer to API Documentation: API v2: Servers).
• The header row must include all fields that are required when manually creating a server
for a specific protocol. Other fields are optional and can be left empty.
• A comma (,), semicolon (;), or pipe (|) can be used as a field separator.
• Text enclosed within double quotation marks (“”) is treated as a string, so field separators
within it are ignored.
Example:

name,protocol,address,port,mask,bind_ip
Server1,ssh,243.177.229.0,22,,10.0.144.193
Server2,rdp,243.177.228.0,22,32,fudo:label:labelname

7.2. Importing a server list from CSV file 170

Fudo Enterprise 5.4 - System Documentation

• System initiation
• Users
• Listeners
• Safes
• Accounts

7.3 Editing a server

1. Select Management > Servers.

2. Define filters to limit the number of objects displayed on the list, or use a search bar.
3. Find and click desired object’s name to open its configuration page.

4. Modify configuration parameters as needed.

5. Click Save.
Related topics:
• Data model
• System initiation
• Users
• Listeners
• Safes
• Accounts

7.3. Editing a server 171

Fudo Enterprise 5.4 - System Documentation

7.4 Blocking a server

Fudo Enterprise allows blocking access to given server for all users.

Warning: Blocking a server will terminate current connections with the given server.

1. Select Management > Servers.

2. Define filters to limit the number of objects displayed on the list, or select a server that
needs to be blocked right from the list.
3. Select the object and click the Blocked option.

4. Provide blocking reason and click Block.

5. You can also block the server from the editing form. Just edit the server, select Blocked
option and provide the reason of blocking. Save changes.

Related topics:
• Data model
• System initiation
• Users

7.4. Blocking a server 172

Fudo Enterprise 5.4 - System Documentation

• Listeners
• Safes
• Accounts

7.5 Unblocking a server

1. Select Management > Servers.

2. Define filters to limit the number of objects displayed on the list, or select a server that
needs to be unblocked right from the list.
3. Select the server and click the Unblock button.

4. Click Unblock to confirm.

5. You can also unblock the server from the editing form. Just edit the server and deselect
Blocked option. Save changes.

Related topics:
• Data model
• System initiation
• Users

7.5. Unblocking a server 173

Fudo Enterprise 5.4 - System Documentation

• Listeners
• Safes
• Accounts

7.6 Deleting a server

Warning: A server can’t be deleted if assigned to an account.

1. Select Management > Servers.

2. Define filters to limit the number of objects displayed on the list.
3. Use checkboxes next to the servers to select them and click Delete selected.

Alternatively, you can edit a server that needs to be deleted right from the list, click the vertical
three-dot icon and click Remove server.

5. Confirm server(s) deleting.

7.6. Deleting a server 174

Fudo Enterprise 5.4 - System Documentation

• System initiation
• Users
• Listeners
• Safes
• Accounts

7.6. Deleting a server 175

CHAPTER 8

Pools

Server Pools allow grouping multiple server objects based on the same protocol and manage
within other objects (for example, accounts) as one server.

8.1 Creating a pool

In order to create a pool, follow the instructions:

1. Click + icon in the main menu next to the Pools tab, or
Select Management > Servers and then click + Add pool.
2. Enter pool’s unique name.
3. Optionally, click the Description checkbox and provide a text that will help identifying
this pool object.

176
Fudo Enterprise 5.4 - System Documentation

4. In the Permissions section, add users allowed to manage this object.

5. In the Settings section select servers to be added to the pool.

Note: Protocol of the servers in terms of group should be unique.

6. Click Save or Save and close.

8.2 Deleting a pool

Warning: A pool can’t be deleted if assigned to an account.

In order to delete a pool, follow the instructions:

1. Select Management > Pools.
2. Define filters to limit the number of objects displayed on the list:

3. Use checkboxes next to the pool(s) and click Delete selected.

8.2. Deleting a pool 177

Fudo Enterprise 5.4 - System Documentation

Alternatively, select a pool that needs to be deleted right from the list and click on the vertical
three-dot icon:

4. Confirm pool(s) deleting.

Related topics:
• Data model
• System initiation
• Users
• Listeners
• Safes
• Accounts

8.2. Deleting a pool 178

CHAPTER 9

Remote applications

Fudo Enterprise enables direct connection over the RDP protocol to a remote application using
Remote Applications feature.
You can configure remote application entries for specific resource for its future connection by a
user via Access Gateway and Remote Desktop Protocol client.

9.1 Adding remote application

In order to configure a remote application, follow the instruction:

1. Select Management > Remote applications.
2. Click the Add remote application button.
3. Provide remote application configuration:
• Enter application’s Name,
• provide Path to the executable file, and
• the Arguments within two %% symbols, e.g., %%variable%%. Defining variable shows
additional configuration row where you can define which object and what property of
object to use,
• select Object type and Object property for each of your Arguments,
• encrypt given arguments by selecting Encrypt option.
4. Click Save or Save and close.
5. Add the predefined remote application to the Account with access to the RDP server:
• Select Management > Accounts,
• select the account with access to the RDP server or create a new one,

179
Fudo Enterprise 5.4 - System Documentation

• in the Remote applications section click the Add remote application button and select the
predefined remote application.
• click the button Save.

9.2 Connecting to remote application via Access Gateway

In order to establish a connection, sign in to the Access Gateway and select the respective account
and a listener to be connected using the predefined remote application. Select the Native client
option.

When a session to the specific resource is established by a user, their remote session is connected
within the application only. Therefore, the user has no access to the entire desktop, and closing
the application terminates the session.

9.3 Deleting remote application

Deleting a definition of the remote application

In order to delete a remote application definition, follow the instructions:
1. Select Management > Remote applications.
2. Select a remote application definition that needs to be deleted right from the list.
3. In the edit mode click on the vertical three-dot icon.
4. Press the Remove Application button.
5. Confirm the remote application removal.
Deleting a remote application from the Account definition
In order to delete a predefined remote application from the Account definition, follow the in-
structions:
1. Select Management > Accounts.

9.2. Connecting to remote application via Access Gateway 180

Fudo Enterprise 5.4 - System Documentation

2. Select the account that has the predefined remote application configured.
3. In the Remote applications section the Delete option to remove the predefined remote
application.
4. Click the button Save.
Related topics:
• Data model
• System initiation
• Users
• Listeners
• Safes
• Accounts
• Creating an account

9.3. Deleting remote application 181

CHAPTER 10

Accounts

Account defines the privileged account existing on the monitored server. It specifies the actual
login credentials, user authentication mode: anonymous (without user authentication), regular
(with login credentials substitution) or forward (with login and password forwarding); password
changing policy as well as the password changer itself.

Note: In case of Telnet connections, user has to go through authentication process twice. First
time to authenticate against Fudo Enterprise and then to connect to the target host.

182
Fudo Enterprise 5.4 - System Documentation

10.1 Creating an account

10.1.1 Creating an anonymous account

1. Click + icon in the main menu next to the Accounts tab, or

Select Management > Accounts and then click + Add.

2. Define object’s name.

3. Select Blocked option to disable account after it’s created.

4. Select anonymous from the Type drop-down list.

10.1. Creating an account 183

Fudo Enterprise 5.4 - System Documentation

• raw - Fudo Enterprise saves session metadata (basic session information) and
records raw network traffic (RAW file). The raw data can be downloaded
but it cannot be played back in graphical form using the built-in session
player (session player only depicts the networks packet exchange between
the client and the target host).
• noraw - Fudo Enterprise records the session data in a non-raw format that
could be played back using the built-in session player.
• none - Fudo Enterprise saves only session metadata (basic session informa-
tion).
6. In the Notes field, enter a message to User Portal (Access Gateway) users. If permissions
are granted, notes can be also edited.

Note: Account notes can be displayed in the User Portal (Access Gateway).

7. In the Category field select privileged or non-privileged account category.

Note: During manual account creation, assigning the category as privileged or non-privileged
is purely informational, yet during the Discovery, it is automatically assigned based on the
account’s parameters in the source system.

8. In the Data retention section, define automatic data removal settings.

• Select Override global retention settings option to set other than global re-
tention values for connections established using this account.
• Check the Delete session data option to exclude sessions from retention
mechanism.
• Next to the Delete session data field, define the number of days after which
the session data will moved to external storage device. Default value when
the option is checked, is 30 days.

Note: Data retention for sessions established using this account will only be active if global
retention is enabled. To change global retention settings see chapter Data Retention.

9. In the Permissions section, add users allowed to manage this object.

10.1. Creating an account 184

Fudo Enterprise 5.4 - System Documentation

10. In the Server section, assign account to a specific server or a server pool by selecting it
from the Server drop-down list.
11. Select SSH Agent forwarding option to authenticate the user against the target host using
client’s SSH key.

Note: This option is availble only after selecting an SSH server. Use -A option for connecting
to SSH server.

12. Click Save.

Related topics:
• Data model
• Deleting an account
• Editing an account
• Unblocking an account
• Blocking an account

10.1.2 Creating a forward account

1. Click + icon in the main menu next to the Accounts tab, or

Select Management > Accounts and then click + Add.

2. Define object’s name.

3. Select Blocked option to disable account after it’s created.

10.1. Creating an account 185

Fudo Enterprise 5.4 - System Documentation

4. Select forward from the Type drop-down list.

5. Select desired session recording option.
• all - Fudo Enterprise saves session metadata (basic session information),
records raw network traffic (RAW file) and stores session data in internal file
format (FBS). The latter enables session playback using the built-in session
player, as well as exporting sessions to a selection of video file formats.
• raw - Fudo Enterprise saves session metadata (basic session information) and
records raw network traffic (RAW file). The raw data can be downloaded
but it cannot be played back in graphical form using the built-in session
player (session player only depicts the networks packet exchange between
the client and the target host).
• noraw - Fudo Enterprise records the session data in a non-raw format that
could be played back using the built-in session player.
• none - Fudo Enterprise saves only session metadata (basic session informa-
tion).
6. In the Notes field, enter a message to User Portal (Access Gateway) users. If permissions
are granted, notes can be also edited.

Note: Account notes can be displayed in the User Portal (Access Gateway).

10.1. Creating an account 186

Fudo Enterprise 5.4 - System Documentation

7. In the Category field select privileged or non-privileged account category.

8. In the Data retention section, define automatic data removal settings.

Note: Data retention for sessions established using this account will only be active if global
retention is enabled. To change global retention settings see chapter Data Retention.

9. In the Permissions section, add users allowed to manage this object.

10. In the Server section, assign account to a specific server or a server pool by selecting it
from the Server drop-down list.
11. From the Replace secret with drop down list in the Credentials, select desired option.
secret from a different account
• From the Account drop-down list, select account object, whose credentials will be used to
authenticate user when establishing connection with monitored server.

Note: The list contains only objects to which you have been given access permissions.

key

• Click the icon and select the key type.

10.1. Creating an account 187

Fudo Enterprise 5.4 - System Documentation

• Click the and browse the file system to find the key definition file.
• Click the i icon and select the key type.
• Click the i icon and browse the file system to find the key definition file.
password
• Provide account password.
• Repeat account password.

Note: Two-fold authentication

With two-fold authentication enabled, user is being prompted twice for login credentials. Once
for authenticating against Fudo Enterprise and once again for accessing target system.
To enable two-fold authentication, select password from the Replace secret with drop-down list
and leave the password and login fields empty.

password from external repository

• Select external repository.

Note: Authentication by the server

With the Authentication against server option enabled, Fudo Enterprise does not verify the
correctness of user credentials. Login information is forwarded to the target host, which verifies
whether the user is allowed to access it. Verification status is returned to Fudo, which establishes
monitored connection. To enable this authentication scenario, select the Authenticate against
server option in the Credentials section (available only for SSH servers and RDP hosts with the
Enhanced RDP Security (TLS) + NLA security option selected).

Also note that 2FA/MFA authentication won’t work here. If you create a user with OATH+AD
authentication the OATH part is bypassed and only the password is used and sent to the server
– Fudo won’t ask for the OATH token in this situation. The same goes for Duo, SMS an any
other 2FA user authentication scheme that can be configured in Fudo. This restriction is specific
only to forward account types.

12. Select Forward domain option to have the domain name included in the string identifying
the user.

Note:

10.1. Creating an account 188

Fudo Enterprise 5.4 - System Documentation

The ‘Forward domain’ option utilizes user’s domain settings as follows:

• If the user has an ‘AD Domain’ configured, Fudo Enterprise will use it for authenti-
cation againts the server.
• If the user doesn’t have an ‘AD Domain’ configured but has a ‘Fudo Domain’ con-
figured, Fudo Enterprise will use the ‘Fudo Domain’ for authentication against the
server.

13. For SSH connections, select the SSH Agent forwarding option to authenticate the user
against the target host using client’s SSH key. Use -A option for connecting to SSH server.
14. Click Save.
Related topics:
• Data model
• Deleting an account
• Editing an account
• Unblocking an account
• Blocking an account

10.1.3 Creating a regular account

1. Click + icon in the main menu next to the Accounts tab, or

Select Management > Accounts and then click + Add.

2. Define object’s name.

3. Select Blocked option to disable account after it’s created.

10.1. Creating an account 189

Fudo Enterprise 5.4 - System Documentation

4. Select regular from the Type drop-down list.

5. Select desired session recording option.
• all - Fudo Enterprise saves session metadata (basic session information),
records raw network traffic (RAW file) and stores session data in internal file
format (FBS). The latter enables session playback using the built-in session
player, as well as exporting sessions to a selection of video file formats.
• raw - Fudo Enterprise saves session metadata (basic session information) and
records raw network traffic (RAW file). The raw data can be downloaded
but it cannot be played back in graphical form using the built-in session
player (session player only depicts the networks packet exchange between
the client and the target host).
• noraw - Fudo Enterprise records the session data in a non-raw format that
could be played back using the built-in session player.
• none - Fudo Enterprise saves only session metadata (basic session informa-
tion).
6. In the Notes field, enter a message to Access Gateway users. If permissions are granted,
notes can be also edited.

Note: Account notes can be displayed in the User Portal (Access Gateway).

10.1. Creating an account 190

Fudo Enterprise 5.4 - System Documentation

7. In the Category field, select privileged or non-privileged to specify the account cate-
gory.

8. In the Data retention section, define automatic data removal settings.

Note: Data retention for sessions established using this account will only be active if global
retention is enabled. To change global retention settings see chapter Data Retention.

9. In the Permissions section, add users allowed to manage this object.

10. In the Server section, assign account to a specific server or a server pool by selecting it
from the Server drop-down list.
Configuring an account with access to the RDP server, an additional option will show up. In
the Inform about existing connection field select to set server settings / disable or enable this
option.

10.1. Creating an account 191

Fudo Enterprise 5.4 - System Documentation

Note: More about this feature under this link: Account activity in the Access Gateway.

11. In the Credentials section, enter privileged account domain.

Note: If a domain is entered in the Domain field, Fudo Enterprise will always use it to
authenticate against the server. The domain will be added automatically to the user’s login.

12. Type in login to the privileged account.

13. From the Replace secret with drop down list, select desired option.
secret from a different account
• From the Account drop-down list, select account object, whose credentials
will be used to authenticate user when establishing connection with moni-
tored server.
key

• Click the icon and select the key type.

• Click the icon and browse the file system to find the file with a non-
passphrase protected private key.
password from external repository
• Select external repository.
password
• Provide account password.
• Repeat account password.

Note: Two-fold authentication

With two-fold authentication enabled, user is being prompted twice for login
credentials. Once for authenticating against Fudo Enterprise and once again for
accessing target system.
To enable two-fold authentication, select password from the Replace secret with
drop-down list and leave the password and login fields empty.

10.1. Creating an account 192

Fudo Enterprise 5.4 - System Documentation

14. In the Password checkout time limit field, define the time after which the password is
returned automatically.

Note: Defining the password checkout time limit automatically enables the Secret Checkout
feature for the particular Safe.

15. For SSH connections, select the SSH Agent forwarding option to authenticate the user
against the target host using client’s SSH key. Use -A option for connecting to SSH server.
If password option was chosen as an authentication method, provide additional configuration:
• Select Password change policy from the list of the configured password change policies.
• Select Change password after last checkin option to change the password automatically
after it has been returned by the last user.

Note: This options is available only for Secret Checkout feature and it’s enabled after specifying
the Password checkout time limit.

• Select Change password after session option to change the account password remotely after
the session is ended.

Note: This option requires to choose at least one Password changer and a Password change
policy any other than Static, without restrictions.
Refer to the Password changers topic for detailed information on setting up password changers.

• Check the Password recovery option to set a password verifier, to automatically trigger a
password changer if it verifies that the password for an Account was changed and a new
password is not stored in Fudo Enterprise.

Note: Having the Password recovery option enabled, the Password Verifier spawns “Trigger
password changer” action in the account. When it’s disabled, the Password Verifier only sends
event “Unable to verify password for account <account_name>”.

• Click + Add password changer, to have the password to the account changed automatically
according to the password policy.
• In the Password changers section, from the Password changer drop-down list select pass-
word changer specific for given account.
• In the Timeout field, define the script’s execution time limit.
• In the Variables section, assign attributes to variables.

10.1. Creating an account 193

Fudo Enterprise 5.4 - System Documentation

Fudo Enterprise allows changing a password on a different node than the one that set as an
Active cluster node for Password changers.

In order to have this configured, the following condition should be met:

Setting up a Password Changer / Password Verifier for an account, a value for
transport_bind_ip variable should indicate the same cluster node for all password changers as
well as password verifiers.

10.1. Creating an account 194

Fudo Enterprise 5.4 - System Documentation

If the transport_bind_ip variable values indicate different cluster nodes, the configured pass-
word changer/verifier will be running on a node that set as an Active cluster node for Password
changers.

Related topics:
• Data model
• Editing an account
• Blocking an account
• Unblocking an account
• Deleting an account
• Password changers - active cluster node

10.2 Editing an account

1. Select Management > Accounts.

2. Define filters to limit the number of objects displayed on the list, or use a search bar.

3. Find and click desired object’s name to open its configuration page.
4. Modify configuration parameters as needed.
5. Click Save.
Related topics:
• Creating an account
• Blocking an account
• Unblocking an account
• Deleting an account

10.2. Editing an account 195

Fudo Enterprise 5.4 - System Documentation

10.3 Blocking an account

Warning: Blocking an accout definition will terminate all current connections to servers
which use selected account for accessing those servers.

1. Select Management > Accounts.

2. Define filters to limit the number of objects displayed on the list, or use a search bar.

3. Click Block.

4. Optionally, provide blocking reason and click Confirm.

Note: To view the blocking reason, place the cursor over the icon on the accounts list.

Related topics:
• Creating an account
• Editing an account
• Unblocking an account
• Deleting an account

10.3. Blocking an account 196

Fudo Enterprise 5.4 - System Documentation

10.4 Unblocking an account

1. Select Management > Accounts.

2. Define filters to limit the number of objects displayed on the list, or use a search bar.

3. Click Unblock.

4. Confirm unblocking selected objects.

Related topics:
• Blocking an account
• Creating an account
• Editing an account
• Deleting an account

10.5 Deleting an account

Warning: Deleting an accout definition will terminate all current connections to servers
which use selected account for accessing those servers.

1. Select Management > Accounts.

2. Define filters to limit the number of objects displayed on the list, or use a search bar.

10.4. Unblocking an account 197

Fudo Enterprise 5.4 - System Documentation

3. Click Delete.

4. Confirm deletion of selected objects.

Related topics:
• Creating an account
• Editing an account
• Blocking an account
• Unblocking an account

10.6 Managing security alerts

Fudo Enterprise tracks user’s action in User Portal (Access Gateway) and registers every pass-
word viewing. Blocking a user who has seen the current password is a potential security breach.
Fudo Enterprise identifies such events and communicates them to system’s administrators.

Administrator has an option to ignore the alert or trigger a password changer assigned to the
account.

10.6. Managing security alerts 198

Fudo Enterprise 5.4 - System Documentation

10.6.1 Triggering password change

Triggering password change on the accounts list

1. Select Management > Accounts.
2. Define filters to limit the number of objects displayed on the list, or use a search bar.

3. Click Change password.

4. Confirm changing password to selected accounts.

Triggering password change from account form
In the Credentials section, click Trigger password changer.

10.6. Managing security alerts 199

Fudo Enterprise 5.4 - System Documentation

Note: Account edit form contains a list of blocked users who have seen current password.

10.6.2 Ignoring security alert

Ignoring security alert on the accounts list

1. Select Management > Accounts.
2. Define filters to limit the number of objects displayed on the list, or use a search bar.

3. Click Ignore alert.

4. Confirm ignoring security alerts for selected accounts.

Ignoring security alert from the account form
In the Credentials section, click Ignore security alert.

10.6. Managing security alerts 200

Fudo Enterprise 5.4 - System Documentation

Note: Account edit form contains a list of blocked users who have seen current password.

Related topics:
• Password changers
• User Portal (Access Gateway)

10.6. Managing security alerts 201

CHAPTER 11

Listeners

Deprecated since version 5.4

Listener determines server connection mode (proxy, gateway, transparent, bastion) as well as its
specifics.

11.1 Creating a listener

Note:
• A listener cannot link to an account that is assigned to a server with a different protocol
then the one defined in the listener.
• A proxy type listener can link to only one server.
• A bastion type listener cannot link to an anonymous account.
• A listener cannot link to the same anonymous account through two different safes.
• A listener cannot link to an anonymous and a regular or forward account to the same
server with the same protocol as the listener’s protocol.

202
Fudo Enterprise 5.4 - System Documentation

• A listener cannot link to two regular or forward type accounts to the same server with the
same protocol as the listener’s protocol, to which a single user has access.
• For a given linked RDP listener and RDP server, both have to use either Standard RDP
Security or TLS or NLA.

In order to create a Listener, follow the instruction:

1. Click + icon in the main menu next to the Listeners tab, or
Select Management > Listeners and then click + Add listener.

2. Enter listener’s unique name.

3. Select Blocked option to disable access to servers through this listener after it’s created.

4. Go to Permissions tab and add users allowed to manage this listener. Use filtering by
name or by role to limit the number of objects displayed on the list.

11.1. Creating a listener 203

Fudo Enterprise 5.4 - System Documentation

5. Go back to Settings tab, choose desired protocol button and follow the corresponding
chapter below to complete the listener creation:
• Setting up the SSH listener
• Setting up the RDP listener
• Setting up the VNC listener
• Setting up the HTTP listener
• Setting up the Modbus listener
• Setting up the MySQL listener
• Setting up the TCP listener
• Setting up the MS SQL listener
• Setting up the Telnet listener
• Setting up the Telnet 3270 listener
• Setting up the Telnet 5250 listener

11.1.1 Setting up the SSH listener

This section describes how to setup SSH listener. To learn first steps of creating listener, please
follow Creating a listener section.

1. Go to Settings tab and press the SSH button in the Protocol field.
2. 2. Select Legacy ciphers option to allow negotiating older encryption algorithms when
establishing connections.
3. Select the Case insensitivity option to disable case sensitivity in the username string when
connecting over this listener.

11.1. Creating a listener 204

Fudo Enterprise 5.4 - System Documentation

4. Select ProxyJump option to allow an intermediary system to connect to the target server.
5. Select Announcement option to enable it’s field and type in the notification that will be
presented to the user on the login screen.
6. In the Connection mode section, select desired connection mode.
bastion

Note:
• User connects to the target host by including name along with account lo-
gin on the target server and target server address in the login string, e.g.
john_smith#root#192.168.0.110.
• For details on bastion connection mode, refer to Connection modes topic.

• Select bastion button in the Connection mode field.

• Select the the IP address from the Local address drop-down list and enter port
number.

Note:
• The Local address drop-down list elements are IP address defined in the Network
configuration menu (Network interfaces configuration) or labeled IP addresses
(Labeled IP addresses).
• Selecting the Any option will result in Fudo listening on all configured IP ad-
dresses.
• In case of cluster configuration, select a labeled IP address from the Local ad-
dress drop-down list and make sure that other nodes have IP addresses assigned
to this label. For more information refer to the Labeled IP addresses topic.

11.1. Creating a listener 205

Fudo Enterprise 5.4 - System Documentation

• Select External address option to enable its field and enter an IP address (or
FQDN name) along with the port number, under which Fudo can be accessed
from outside the local network.
proxy

Note: User connects to the target host by providing Fudo Enterprise IP address
and port number which unambiguously identifies target host.

• Select proxy button in the Connection mode field.

• Select the the IP address from the Local address drop-down list and enter port
number.

• Select External address option to enable its field and enter an IP address (or
FQDN name) along with the port number, under which Fudo can be accessed
from outside the local network.
gateway

Deprecated since version 5.4

Fudo Enterprise 5.4 is the last version supporting gateway mode in the listeners
configuration. Listeners using this mode must be reconfigured to use proxy and
bastion modes before upgrading to the next release.

Note: User connects to the target host by providing its actual IP address. Fudo
Enterprise moderates the connection with the remote host using own IP address.
This option requires deploying Fudo Enterprise in the bridge mode.

• Select gateway button in the Connection mode field.

• Select the network interface used for handling connections over this listener.
transparent

Deprecated since version 5.4

11.1. Creating a listener 206

Fudo Enterprise 5.4 - System Documentation

Fudo Enterprise 5.4 is the last version supporting transparent mode in the listeners
configuration. Listeners using this mode must be reconfigured to use proxy and
bastion modes before upgrading to the next release.

Note: User connects to the target host by providing its actual IP address. Fudo
Enterprise moderates the connection with the remote host using user’s IP address.
This option requires deploying Fudo Enterprise in the bridge mode.

• Select transparent button in the Connection mode field.

• Select the network interface used for handling connections over this listener.
7. In the Fudo private key field, click Generate key pair to generate private/public key pair,
or click Upload to upload it.
8. Click Save.
Related topics:
• Data model
• Editing a listener
• Deleting a listener
• Blocking a listener
• Unblocking a listener

11.1.2 Setting up the RDP listener

This section describes how to setup RDP listener. To learn first steps of creating listener, please
follow Creating a listener section.

1. Go to Settings tab and press the RDP button in the Protocol field.
2. Select the TLS enabled option to enable encryption.
3. Check the NLA enabled option for additional security.

11.1. Creating a listener 207

Fudo Enterprise 5.4 - System Documentation

Note: Security mode must match the security mode setting in the RDP server configuration.
In case the TLS enabled option is chosen, select Legacy ciphers option to allow negotiating older
encryption algorithms (DSA(1024), RSA(1024)) when establishing RDP connections.

4. Select Announcement option to enable it’s field and type in the notification that will be
presented to the user on the login screen.
5. In the Connection mode section, select desired connection mode.
bastion

• Select bastion button in the Connection mode field.

• Select the the IP address from the Local address drop-down list and enter port
number.
• Select External address option to enable its field and enter an IP address (or
FQDN name) along with the port number, under which Fudo can be accessed
from outside the local network.

Note:

11.1. Creating a listener 208

Fudo Enterprise 5.4 - System Documentation

• The Local address drop-down list elements are IP address defined in the Network
configuration menu (Network interfaces configuration) or labeled IP addresses
(Labeled IP addresses).
• Selecting the Any option will result in Fudo listening on all configured IP ad-
dresses.
• In case of cluster configuration, select a labeled IP address from the Local ad-
dress drop-down list and make sure that other nodes have IP addresses assigned
to this label. For more information refer to the Labeled IP addresses topic.

proxy

Note: User connects to the target host by providing Fudo Enterprise IP address
and port number which unambiguously identifies target host.

• Select proxy button in the Connection mode field.

• Select the the IP address from the Local address drop-down list and enter port
number.

• Select External address option to enable its field and enter an IP address (or
FQDN name) along with the port number, under which Fudo can be accessed
from outside the local network.
gateway

Deprecated since version 5.4

11.1. Creating a listener 209

Fudo Enterprise 5.4 - System Documentation

• Select gateway button in the Connection mode field.

• Select the network interface used for handling connections over this listener.
transparent

Deprecated since version 5.4

• Select transparent button in the Connection mode field.

• Select the network interface used for handling connections over this listener.
6. In the CA certificate field, click Generate certificate to generate TLS certificate, or click
Upload to upload server certificate file with private key pasted at the end of the file.
The rest of the required fields will be filled automatically. Allowed format of the server
certificate file is PEM.

7. Click Save.
Related topics:
• Data model
• Editing a listener
• Deleting a listener

11.1. Creating a listener 210

Fudo Enterprise 5.4 - System Documentation

• Blocking a listener
• Unblocking a listener

11.1.3 Setting up the VNC listener

This section describes how to setup VNC listener. To learn first steps of creating listener, please
follow Creating a listener section.

1. Go to Settings tab and press the VNC button in the Protocol field.

2. Select the Case insensitivity option to disable case sensitivity in the username string when
connecting over this listener.
3. Select Announcement option to enable it’s field and type in the notification that will be
presented to the user on the login screen.
4. In the Connection mode section, select desired connection mode.
bastion

• Select bastion button in the Connection mode field.

• Select the the IP address from the Local address drop-down list and enter port
number.

11.1. Creating a listener 211

Fudo Enterprise 5.4 - System Documentation

Note:
• The Local address drop-down list elements are IP address defined in the Network
configuration menu (Network interfaces configuration) or labeled IP addresses
(Labeled IP addresses).
• In case of cluster configuration, select a labeled IP address from the Local ad-
dress drop-down list and make sure that other nodes have IP addresses assigned
to this label. For more information refer to the Labeled IP addresses topic.

proxy

Note: User connects to the target host by providing Fudo Enterprise IP address
and port number which unambiguously identifies target host.

• Select proxy button in the Connection mode field.

• Select the the IP address from the Local address drop-down list and enter port
number.

• Select External address option to enable its field and enter an IP address (or
FQDN name) along with the port number, under which Fudo can be accessed
from outside the local network.
gateway

Deprecated since version 5.4

11.1. Creating a listener 212

Fudo Enterprise 5.4 - System Documentation

• Select gateway button in the Connection mode field.

• Select the network interface used for handling connections over this listener.
transparent

Deprecated since version 5.4

• Select transparent button in the Connection mode field.

• Select the network interface used for handling connections over this listener.
5. Click Save.
Related topics:
• Data model
• Editing a listener
• Deleting a listener
• Blocking a listener
• Unblocking a listener

11.1.4 Setting up the HTTP listener

This section describes how to setup HTTP listener. To learn first steps of creating listener,
please follow Creating a listener section.
1. Go to Settings tab and press the HTTP button in the Protocol field.
2. Select the TLS enabled option to enable encryption.
3.In case the TLS enabled option is chosen, select Legacy ciphers option to allow negotiating
older encryption algorithms (DSA(1024), RSA(1024)) when establishing RDP connections.
4. Select Render sessions to enable graphical session rendering.

11.1. Creating a listener 213

Fudo Enterprise 5.4 - System Documentation

Note:
• Graphical HTTP rendering requires a substantial amount of processing power. It is rec-
ommended to limit the number of rendered HTTP sessions to minimum to ensure high
system’s responsiveness.
• During rendered HTTP sessions raw protocol data is not recorded.
• Render sessions option must be enabled to activate authentication in the HTTP servers
(refer to the Creating an HTTP server topic).

5. In the Connection mode section, select desired connection mode.

bastion
• Select bastion button in the Connection mode field.
• Select the IP address from the Local address drop-down list and enter port
number.

Note:
• Bastion mode is supported for rendered mode only.
• User connects to the target host by including its name in the login string, e.g.
john_smith#mail_server.
• For details on bastion connection mode, refer to Connection modes topic.

• Select External address option to enable its field and enter an IP address (or
FQDN name) along with the port number, under which Fudo can be accessed
from outside the local network.
proxy

11.1. Creating a listener 214

Fudo Enterprise 5.4 - System Documentation

Note: User connects to the target host by providing Fudo Enterprise IP address
and port number which unambiguously identifies target host.

• Select proxy button in the Connection mode field.

• Select the the IP address from the Local address drop-down list and enter port
number.

• Select External address option to enable its field and enter an IP address (or
FQDN name) along with the port number, under which Fudo can be accessed
from outside the local network.
gateway

Deprecated since version 5.4

• Select gateway button in the Connection mode field.

• Select the network interface used for handling connections over this listener.
transparent

Deprecated since version 5.4

11.1. Creating a listener 215

Fudo Enterprise 5.4 - System Documentation

• Select transparent button in the Connection mode field.

7. Click Save.
Related topics:
• Data model
• Editing a listener
• Deleting a listener
• Blocking a listener
• Unblocking a listener

11.1. Creating a listener 216

Fudo Enterprise 5.4 - System Documentation

11.1.5 Setting up the Modbus listener

This section describes how to setup RDP listener. To learn first steps of creating listener, please
follow Creating a listener section.

1. Go to Settings tab and press the Show all button to expand supported protocols list.
2. Press Modbus button in the Protocol field.

3. In the Connection mode section, select desired connection mode.

proxy

Note: User connects to the target host by providing Fudo Enterprise IP address
and port number which unambiguously identifies target host.

• Select proxy button in the Connection mode field.

• Select the the IP address from the Local address drop-down list and enter port
number.

gateway

Deprecated since version 5.4

11.1. Creating a listener 217

Fudo Enterprise 5.4 - System Documentation

• Select gateway button in the Connection mode field.

• Select the network interface used for handling connections over this listener.
transparent

Deprecated since version 5.4

• Select transparent button in the Connection mode field.

• Select the network interface used for handling connections over this listener.
4. Click Save.
Related topics:
• Data model
• Editing a listener
• Deleting a listener
• Blocking a listener
• Unblocking a listener

11.1.6 Setting up the MySQL listener

This section describes how to setup MySQL listener. To learn first steps of creating listener,
please follow Creating a listener section.

1. Go to Settings tab, press the Show all button to expand supported protocols list.
2. Press MySQL button in the Protocol field.

11.1. Creating a listener 218

Fudo Enterprise 5.4 - System Documentation

3. In the Connection mode section, select desired connection mode.

proxy

Note: User connects to the target host by providing Fudo Enterprise IP address
and port number which unambiguously identifies target host.

• Select proxy button in the Connection mode field.

• Select the the IP address from the Local address drop-down list and enter port
number.

gateway

Deprecated since version 5.4

Note: User connects to the target host by providing its actual IP address. Fudo

11.1. Creating a listener 219

Fudo Enterprise 5.4 - System Documentation

Enterprise moderates the connection with the remote host using own IP address.
This option requires deploying Fudo Enterprise in the bridge mode.

• Select gateway button in the Connection mode field.

• Select the network interface used for handling connections over this listener.
transparent

Deprecated since version 5.4

• Select transparent button in the Connection mode field.

11.1.7 Setting up the TCP listener

This section describes how to setup TCP listener. To learn first steps of creating listener, please
follow Creating a listener section.

1. Go to Settings tab, press the Show all button to expand supported protocols list.
2. Press TCP button in the Protocol field.

11.1. Creating a listener 220

Fudo Enterprise 5.4 - System Documentation

3. In the Connection mode section, select desired connection mode.

bastion

• Select bastion button in the Connection mode field.

• Select the the IP address from the Local address drop-down list and enter port
number.
proxy

Note: User connects to the target host by providing Fudo Enterprise IP address
and port number which unambiguously identifies target host.

• Select proxy button in the Connection mode field.

• Select the the IP address from the Local address drop-down list and enter port
number.

11.1. Creating a listener 221

Fudo Enterprise 5.4 - System Documentation

• In case of cluster configuration, select a labeled IP address from the Local ad-
dress drop-down list and make sure that other nodes have IP addresses assigned
to this label. For more information refer to the Labeled IP addresses topic.

gateway

Deprecated since version 5.4

• Select gateway button in the Connection mode field.

• Select the network interface used for handling connections over this listener.
transparent

Deprecated since version 5.4

• Select transparent button in the Connection mode field.

• Select the network interface used for handling connections over this listener.
4. Click Save.
Related topics:
• TCP
• Creating a TCP server
• Data model

11.1. Creating a listener 222

Fudo Enterprise 5.4 - System Documentation

11.1.8 Setting up the MS SQL listener

This section describes how to setup MS SQL listener. To learn first steps of creating listener,
please follow Creating a listener section.

1. Go to Settings tab, press the Show all button to expand supported protocols list.
2. Press MS SQL(TDS) button in the Protocol field.

3. In the Connection mode section, select desired connection mode.

bastion

• Select bastion button in the Connection mode field.

• Select the the IP address from the Local address drop-down list and enter port
number.
proxy

Note: User connects to the target host by providing Fudo Enterprise IP address
and port number which unambiguously identifies target host.

• Select proxy button in the Connection mode field.

• Select the the IP address from the Local address drop-down list and enter port
number.

11.1. Creating a listener 223

Fudo Enterprise 5.4 - System Documentation

gateway

Deprecated since version 5.4

• Select gateway button in the Connection mode field.

• Select the network interface used for handling connections over this listener.
transparent

Deprecated since version 5.4

• Select transparent button in the Connection mode field.

• Select the network interface used for handling connections over this listener.
4. Click Save.
Related topics:
• Data model

11.1. Creating a listener 224

Fudo Enterprise 5.4 - System Documentation

• Editing a listener
• Deleting a listener
• Blocking a listener
• Unblocking a listener

11.1.9 Setting up the Telnet listener

This section describes how to setup Telnet listener. To learn first steps of creating listener,
please follow Creating a listener section.

1. Go to Settings tab, press the Show all button to expand supported protocols list.
2. Press Telnet button in the Protocol field.

3. In the Connection mode section, select desired connection mode.

bastion

• Select bastion button in the Connection mode field.

• Select the the IP address from the Local address drop-down list and enter port
number.
proxy

11.1. Creating a listener 225

Fudo Enterprise 5.4 - System Documentation

Note: User connects to the target host by providing Fudo Enterprise IP address
and port number which unambiguously identifies target host.

• Select proxy button in the Connection mode field.

• Select the the IP address from the Local address drop-down list and enter port
number.

gateway

Deprecated since version 5.4

• Select gateway button in the Connection mode field.

• Select the network interface used for handling connections over this listener.
transparent

Deprecated since version 5.4

Note: User connects to the target host by providing its actual IP address. Fudo
Enterprise moderates the connection with the remote host using user’s IP address.

11.1. Creating a listener 226

Fudo Enterprise 5.4 - System Documentation

This option requires deploying Fudo Enterprise in the bridge mode.

• Select transparent button in the Connection mode field.

11.1.10 Setting up the Telnet 3270 listener

This section describes how to setup Telnet 3270 listener. To learn first steps of creating listener,
please follow Creating a listener section.

1. Go to Settings tab, press the Show all button to expand supported protocols list.
2. Press Telnet 3270 button in the Protocol field.

3. In the Connection mode section, select desired connection mode.

bastion

Note:
• User connects to the target host by including name along with account lo-
gin on the target server and target server address in the login string, e.g.
john_smith#root#192.168.0.110.

11.1. Creating a listener 227

Fudo Enterprise 5.4 - System Documentation

• For details on bastion connection mode, refer to Connection modes topic.

• Select bastion button in the Connection mode field.

• Select the the IP address from the Local address drop-down list and enter port
number.
proxy

Note: User connects to the target host by providing Fudo Enterprise IP address
and port number which unambiguously identifies target host.

• Select proxy button in the Connection mode field.

• Select the the IP address from the Local address drop-down list and enter port
number.

gateway

Deprecated since version 5.4

• Select gateway button in the Connection mode field.

• Select the network interface used for handling connections over this listener.
transparent

Deprecated since version 5.4

11.1. Creating a listener 228

Fudo Enterprise 5.4 - System Documentation

• Select transparent button in the Connection mode field.

11.1.11 Setting up the Telnet 5250 listener

This section describes how to setup Telnet 5250 listener. To learn first steps of creating listener,
please follow Creating a listener section.

1. Go to Settings tab, press the Show all button to expand supported protocols list.
2. Press Telnet 5250 button in the Protocol field.

3. In the Connection mode section, select desired connection mode.

11.1. Creating a listener 229

Fudo Enterprise 5.4 - System Documentation

bastion

• Select bastion button in the Connection mode field.

• Select the the IP address from the Local address drop-down list and enter port
number.
proxy

Note: User connects to the target host by providing Fudo Enterprise IP address
and port number which unambiguously identifies target host.

• Select proxy button in the Connection mode field.

• Select the the IP address from the Local address drop-down list and enter port
number.

gateway

Deprecated since version 5.4

11.1. Creating a listener 230

Fudo Enterprise 5.4 - System Documentation

• Select gateway button in the Connection mode field.

• Select the network interface used for handling connections over this listener.
transparent

Deprecated since version 5.4

• Select transparent button in the Connection mode field.

11.2 Editing a listener

1. Select Management > Listeners.

2. Define filters to limit the number of objects displayed on the list, or use a search bar.

3. Find and click on a name of the desired listener to access its configuration parameters.

11.2. Editing a listener 231

Fudo Enterprise 5.4 - System Documentation

4. Modify configuration values as needed.

5. Click Save.
Related topics:
• Data model
• System initiation
• Servers

11.3 Blocking a listener

Warning: Blocking a listener will terminate current connections with server which uses it.

1. Select Management > Listeners.

2. Define filters to limit the number of objects displayed on the list, or use a search bar.

3. Select one or more listeners to block by checking the box next to listener’s name.
4. Click Unblock / Block button to disable access to hosts over selected listeners.
5. Provide descriptive reason for blocking given resource (required) and click Block in dis-
played dialog box.

Note: To view the blocking reason, place the cursor over the red cross icon on the listeners
list.

Related topics:
• Data model
• System initiation
• Servers

11.3. Blocking a listener 232

Fudo Enterprise 5.4 - System Documentation

11.4 Unblocking a listener

1. Select Management > Listeners.

2. Define filters to limit the number of objects displayed on the list, or use a search bar.

3. Select one or more listeners to unblock by checking the box next to listener’s name.
4. Click Unblock / Block button to enable access to hosts over selected listeners.
5. Click Unblock button in displayed dialog box to confirm unblocking selected objects.
Related topics:
• Data model
• System initiation
• Servers

11.5 Deleting a listener

Warning: Deleting a listener will terminate current connections with server which uses it.

1. Select Management > Listeners.

2. Define filters to limit the number of objects displayed on the list, or use a search bar.

11.4. Unblocking a listener 233

Fudo Enterprise 5.4 - System Documentation

3. Select one or more listeners to delete by checking the box next to listener’s name.
4. Click Delete selected.
5. Confirm deleting selected objects by choosing Confirm button in displayed dialog box.
Related topics:
• Data model
• System initiation
• Servers

11.5. Deleting a listener 234

CHAPTER 12

Safes

Safe directly regulates user access to monitored servers. It specifies available protocols’ features,
policies and other details concerning users and servers relations.

Note:
• The system safe can only contain system account.
• The portal safe can only contain the portal account.
• Operator, admin and superadmin users always have access to the system safe.
• User type users cannot have access to the system safe.
• Anonymous user must have access to safes containing anonymous accounts.

235
Fudo Enterprise 5.4 - System Documentation

12.1 Creating a safe

1. Click + icon in the main menu next to the Safes tab, or

Select Management > Safes and then click + Add.
2. Enter object’s name.
3. Select Blocked option to disable access to object after it’s created.
4. Select Login reason option, to display prompt upon logging in, asking user to enter login
reason.

Note: Login reason is not supported in HTTP connections.

5. Select Access request required votes option and provide a number of the voters. This
option enables a so called Just-In-Time feature that allows defining and scheduling the
time when a user is allowed to access specific resources for a set period of time. The user
sends requests via the Access Gateway and the voters accept or reject them on an the
Admin Panel. Read more about the Just-In-Time feature in a Access requests page.
6. Select Require approval option to have the administrator approve each connection to servers
accessed through configured safe. Provide how many minutes the administrator has to
approve or reject a request.
7. Assign security policies in the Policies field.
8. From the Note access drop-down list, select access rights to account related notes:
read-only access or write access.
Notes can be accessed either from the account edit form

or in the Access Gateway.

12.1. Creating a safe 236

Fudo Enterprise 5.4 - System Documentation

9. Select Session time limit option and input a minutes value.

10. Select Session inactivity limit option and input a minutes value.
11. The OTP in Access Gateway option is enabled by default and is responsible for generating
OTP in the Access Gateway.

Warning: Disabling the OTP in Access Gateway option makes impossible connecting via
the Native Client or Web Client. Access via the Access requests would be possible only.

12. For RDP, VNC and SSH-based safes, select Web Client option to allow connecting to the
session in browser.

Note: The Web Client option can’t be enabled when the OTP in Access Gateway option is
disabled.

13. Select a Backup target as a destination place for storing data.

14. In the Protocol functionality section, select allowed protocols’ features.

Note: With the Suspend option enabled for the RDP sessions, its content will not be available
for viewing when the user minimizes its client application.
With the Client Cut Text option enabled for the VNC sessions, a user is allowed to paste text
into the VNC server computer.
With the Server Cut Text option enabled for the VNC sessions, a user is allowed to copy and

12.1. Creating a safe 237

Fudo Enterprise 5.4 - System Documentation

paste text from the VNC server computer into the user’s computer.

15. Select Users tab to assign users allowed to access accounts assigned to this safe.
• Click + Add user.

• Click to add users.

• Click ok to close the modal window.
• Define safe access options.

– Click to fill out the Valid from and Valid to fields with date and time interval
when user will be allowed to access servers through the given safe. When defined
date and time comes, access to the given safe is granted to the user automatically.

– Click to enable and define time intervals during which the user will be allowed to
connect to servers.

– Click to allow user to use Secret Checkout feature and view passwords in the
Access Gateway.

– Click to disable access for selected user.

– Click to delete selected user from the safe.

Note: Access time policy options are disabled when the Access request required votes option
is enabled for the safe.

12.1. Creating a safe 238

Fudo Enterprise 5.4 - System Documentation

16. Select Granted users tab to assign users allowed to manage this object.
• Click + Add user.

• Click to add users.

• Select notifications that will be enabled for the particular granted user. More on this
subject is at the Notifications page.
• Click ok to close the modal window.

17. Select Accounts tab to add accounts accessible through this safe.
• Click + Add account.

• Click to add accounts.

• Click ok to close the modal window.
• Click to assign listeners to accounts.

• Click to add listeners.

• Click ok to close the modal window.

18. Click Save.

Related topics:
• Data model
• Editing a safe
• Blocking a safe
• Deleting a safe

12.1. Creating a safe 239

Fudo Enterprise 5.4 - System Documentation

12.2 Editing a safe

1. Select Management > Safes.

2. Define filters to limit the number of objects displayed on the list, or use a search bar.

3. Find and click desired object’s name to open its configuration page.
4. Modify configuration parameters as needed.
5. Click Save.
Related topics:
• Data model
• Creating a safe
• Blocking a safe
• Unblocking a safe

12.3 Blocking a safe

Warning: Blocking a safe definition will terminate all current connections that use accounts
assigned to this safe to connect to servers.

1. Select Management > Safes.

2. Define filters to limit the number of objects displayed on the list, or use a search bar.

12.2. Editing a safe 240

Fudo Enterprise 5.4 - System Documentation

3. Click Block.

4. Optionally, provide blocking reason and click Confirm.

Note: To view the blocking reason, place the cursor over the icon on the safes list.

Related topics:
• Unblocking a safe
• Data model
• Creating a safe
• Blocking a safe

12.4 Unblocking a safe

1. Select Management > Safes.

2. Define filters to limit the number of objects displayed on the list, or use a search bar.

12.4. Unblocking a safe 241

Fudo Enterprise 5.4 - System Documentation

3. Click Unblock.

4. Click Confirm to unblock selected objects.

Related topics:
• Blocking a safe
• Data model
• Creating a safe
• Deleting a safe

12.5 Deleting a safe

Warning: Deleting a safe definition will terminate all current connections that use accounts
assigned to this safe to connect to servers.

1. Select Management > Safes.

2. Define filters to limit the number of objects displayed on the list, or use a search bar.

12.5. Deleting a safe 242

Fudo Enterprise 5.4 - System Documentation

3. Click Delete.

4. Confirm deletion of selected objects.

Related topics:
• Data model
• Creating a safe
• Editing a safe
• Blocking a safe
• Unblocking a safe

12.5. Deleting a safe 243

CHAPTER 13

Discovery

The Discovery feature is able to search for accounts with different privilege levels on domain
controllers, servers on domain controllers, and local accounts on Windows servers.
Additional nomenclature that comes along with this feature within the Discovery, the Accounts,
and the Servers tab:
• Scanner - the main component that aims to discover accounts or servers on the target
server. The scanner can have a rule that defines an action that follows the discovery. The
scanner can be executed manually or automatically according to the schedule.
• Rule - allows setting criteria for the objects to be discovered and the actions to be per-
formed after their discovery.
• Account Category - is a privilege level of the account.
• Discovered Accounts - accounts that were discovered by the scanner.
• Discovered Servers - servers that were discovered by the scanner.
• Onboarded Accounts - accounts that were unblocked on the target server and optionally
added to the listener and / or safe.
• Onboarded Servers - servers that were unblocked on the target server and optionally added
to the pools.
• Quarantined Accounts / Servers - accounts or servers that were blocked on the target
server.

Note:
• The Discovery feature executes scanning Active Directory by connecting using the LDAP
protocol.
• The WinRM protocol is used to connect to the server and scan for local accounts.

The Discovery function needs two objects to provide the most efficient results:

244
Fudo Enterprise 5.4 - System Documentation

1. A scanner with configuration of the target server and an account to connect, and a schedule
for running the scanner automatically.
2. A rule to specify what the scanner should do in terms of its discovery.
To have the Discovery function fully automatic, it is advised to start its configuration from
creating a rule and next, create a scanner.
Although, if you want to onboard or send to quarantine the discovered accounts or servers
manually, you can complete Creating a scanner step only, as the scanner can work without the
rules being added. Next, discovered accounts or servers can be moved further with the Managing
discovered accounts or Managing discovered servers option, available in the Accounts and Servers
tab.

Note: The active node, which is used for the scanning process, can be checked under the
Discovery section in the Settings > System tab.

13.1 Creating a rule

Each rule can be enabled or disabled anytime. When a rule is enabled, the system will automat-
ically onboard or send to quarantine matching accounts or servers according to the given rule
actions. The rules apply to just discovered elements but not to the elements that are already
onboarded or sent to quarantine by the rules. In practice, it means that after a particular rule
is changed, its actions will be applied to the accounts or servers that were discovered after the
changes are saved.

13.1.1 Creating a rule for accounts

In order to create a rule for discovered accounts, proceed as follows:

1. Select Management > Discovery > Rules
2. Click + Add

13.1. Creating a rule 245

Fudo Enterprise 5.4 - System Documentation

3. Enter rule’s name.

4. Select Accounts from the Scanner type drop-down list.
5. Optionally, enter rule’s description.
6. In Configuration section:
6.1. Select Account category (privileged, non-privileged or all).
6.2. In the Account login field select consists, starts with or ends with and
provide a specific string for the target account login(s).
7. Define Actions:
7.1. Send to quarantine or
7.2. Onboard by adding the discovered accounts to the Safe and/or Listener.
Please note that listeners with bastion mode are supported only.

8. Click Save.
Related topics:
• Managing rules
• Creating a scanner

13.1. Creating a rule 246

Fudo Enterprise 5.4 - System Documentation

13.1.2 Creating a rule for servers

In order to create a rule for discovered servers, proceed as follows:

1. Select Management > Discovery > Rules
2. Click + Add

3. Enter rule’s name.

4. Select Servers from the Scanner type drop-down list.
5. Optionally, enter rule’s description.
6. In Configuration section in the Server address field select consists, starts with or ends
with and provide a specific string for the target server address(es).
7. Define Actions:
7.1. Send to quarantine or
7.2. Onboard by adding the discovered servers to selected Pool.

8. Click Save.

Note:
• Server with the same name as the one existing in Fudo Enterprise will not be added after
scanning.

13.1. Creating a rule 247

Fudo Enterprise 5.4 - System Documentation

• Taking the server on a quarantine will block this server in the domain.
• Onboarding the server unblocks the server in the domain.
• If the server is removed from the domain, it will be removed from Fudo Enterprise after
the next scan step.

Related topics:
• Managing rules
• Creating a scanner

13.2 Managing rules

Related topics:
• Creating a scanner
• Managing discovered servers
• Managing discovered accounts

13.3 Creating a scanner

13.3.1 Creating a scanner for Domain Controller Accounts

The Discovery feature is able to search domain controllers for accounts with different privilege
levels and add them to the relevant safes and/or listeners. This Onboarding process, which grants
the discovered accounts access to connections, is a basis of the Discovery feature. Alternatively,
the feature can send the accounts to quarantine, which means blocking accounts on the target
server.

Note: Before proceeding with creating a scanner, you need to set up:
• a server that will be scanned for accounts - refer to the Servers section,

13.2. Managing rules 248

Fudo Enterprise 5.4 - System Documentation

• an administrator’s account on that server - refer to the Accounts section,

• and a pool to which you want to assign the detected accounts - refer to the Pools section.
Password change policy, password changer, and password verifier can be added later, after saving
the scanner.

In order to create a scanner, proceed as follows:

1. Select Management > Discovery > Scanners
2. Click + Add
3. Enter scanner’s name.
4. Select Domain Controller Accounts from the Scanner type drop-down list.
5. Optionally, enter scanner’s description.
6. In the Schedule section, choose a day and time for your scanner to start automatically on
a weekly basis. This field is optional, so you can skip this step to start your scan manually
anytime.
7. Fill Configuration section with:
7.1. Target server in the Scan on server field.
7.2. Port number to the target server.
7.3. CA certificate.
7.4. Base DN value to indicate the exact location in the domain (optional). Use
following format: cn=##username##,dc=example,dc=com.
7.5. Group DN value to indicate the exact group in the domain (optional). Use
following format: cn=##username##,dc=example,dc=com.

Note: If Base DN or Group DN is not specified, the scanner will search the entire
domain.

7.6. Account to be used to connect to the target server.

7.7. Select Account category to be found (privileged, non-privileged or all).

Note: The Discovery feature identifies privileged accounts within Active Directory
(AD) based on specific group memberships that signify high levels of rights and
permissions. To be recognized as privileged by the Discovery scanner, accounts must
belong to one of four AD’s high-privilege groups:
• Enterprise Admins (EA),
• Domain Admins (DA),
• Built-in Administrators (BA),
• Schema Admins (SA).

7.8. Select the Pools to which the discovered accounts will be assigned.

13.3. Creating a scanner 249

Fudo Enterprise 5.4 - System Documentation

7.9. Choose previously defined Rules to set the following actions after the scan.
Please note that in case more than one rule is added and their actions
overlap, the order of the rules is taken into account: the first matching
rule will be applied.

8. In Password Changers section select Password change policy, Password changer, and Password
verifier which will be automatically assigned to discovered accounts.

Note:
• Administrator can predefine password changer variable values in Password changers con-
figuration (refer to the Custom password changers section).
• Predefining values is optional. If variable is not defined, it will take value from account
that password changer is assigned to.
• Default password changers don’t have predefined variable values.

8. Click Save.
Related topics:
• Creating a rule
• Managing discovered accounts

13.3. Creating a scanner 250

Fudo Enterprise 5.4 - System Documentation

13.3.2 Creating a scanner for Domain Controller Servers

The Discovery feature is able to search domain controllers for servers and add them to the
relevant pools during the Onboarding process. Alternatively, the feature can send the servers to
quarantine, which means blocking servers in the domain.

Note: Before proceeding with creating a scanner, you need to set up:
• a server that will be scanned - refer to the Servers section,
• a privileged account on that server - refer to the Accounts section.

In order to create a scanner, proceed as follows:

1. Select Management > Discovery > Scanners
2. Click + Add
3. Enter scanner’s name.
4. Select Domain Controller Servers from the Scanner type drop-down list.
5. Optionally, enter scanner’s description.
6. In the Schedule section, choose a day and time for your scanner to start automatically on
a weekly basis. This field is optional, so you can skip this step to start your scan manually
anytime.
7. Fill Configuration section with:
7.1. Target server in the Scan on server field.
7.2. Port number to the target server.
7.3. CA certificate.
7.4. Base DN value to indicate the exact location in the domain (optional). Use
following format: cn=##username##,dc=example,dc=com.
7.5. Group DN value to indicate the exact group in the domain (optional). Use
following format: cn=##username##,dc=example,dc=com.

Note: If Base DN or Group DN is not specified, the scanner will search the entire
domain.

7.6. Account to be used to connect to the target server.

7.7. Server CA certificate which will be assigned to the discovered servers.
7.8. Choose previously defined Rules to set the following actions after the scan.
Please note that in case more than one rule is added and their actions
overlap, the order of the rules is taken into account: the first matching
rule will be applied.

13.3. Creating a scanner 251

Fudo Enterprise 5.4 - System Documentation

8. Click Save.
Related topics:
• Creating a rule
• Managing discovered servers

13.3.3 Creating a scanner for local accounts

The Discovery feature is able to search Windows servers in a pool for local accounts and add
them to the relevant safes and/or listeners. Alternatively, the feature can send the accounts to
quarantine, which means blocking accounts on the target server.

Note: Before proceeding with creating a scanner, you need to set up:
• a pool of servers that will be scanned for local accounts - refer to the Pools section,
• an administrator’s account with access to all scanned servers - refer to the Accounts section.
Password change policy, password changer, and password verifier can be added later, after saving
the scanner.

In order to create a scanner, proceed as follows:

1. Select Management > Discovery > Scanners
2. Click + Add
3. Enter scanner’s name.
4. Select Windows Local Accounts from the Scanner type drop-down list.
5. Optionally, enter scanner’s description.
6. In the Schedule section, choose a day and time for your scanner to start automatically on
a weekly basis. This field is optional, so you can skip this step to start your scan manually
anytime.

13.3. Creating a scanner 252

Fudo Enterprise 5.4 - System Documentation

7. In Configuration section:
7.1. Select the pool of servers, where scanning will be performed.
7.2. Specify port number in the Port field.
7.3. Provide CA certificate.
7.4. Select Account to be used to connect to the target server.

Note: In order to use one scanner to scan local accounts on multiple Windows
servers, an administrator account with exactly the same authentication method must
exist on every scanned server.

7.5. Choose previously defined Rules to set the following actions after the scan.
Please note that in case more than one rule is added and their actions
overlap, the order of the rules is taken into account: the first matching
rule will be applied.

8. In Password Changers section select Password change policy, Password changer, and Password
verifier which will be automatically assigned to discovered accounts.

8. Click Save.
Related topics:
• Creating a rule
• Managing discovered accounts

13.3. Creating a scanner 253

Fudo Enterprise 5.4 - System Documentation

13.4 Managing scanners

The scanners with defined schedule can have scheduling enabled or disabled anytime. When a
scanner has scheduling enabled, the system will automatically execute the given scanner con-
figuration. When a scanner’s scheduling is disabled, the system will wait for the decision from
superadmin to start its execution.
Multiple scanners can be started simultaneously or deleted after being selected.

Related topics:
• Creating a rule
• Managing discovered servers
• Managing discovered accounts

13.5 Managing discovered accounts

Discovered, onboarded and quarantined accounts are available in the main Accounts view.

Note: Usually, discovered accounts are not onboarded automatically due to a lack of automatic
rule in the system. Administrator can manually onboard them by choosing the Manage Accounts
option.

13.4. Managing scanners 254

Fudo Enterprise 5.4 - System Documentation

1. Select Management > Accounts and respectful tab: Discovered, Onboarded or Quarantined.
2. Choose the accounts to be onboarded or quarantined by selecting the respective checkboxes
next to their names.
3. Click on the Manage Accounts option on the top of the functional menu - a modal will
pop up.
4. Choose an action:
4.1 Send to quarantine (optionally, you can add a reason) or
4.2 Onboard by adding the discovered accounts to the Safe and/or Listener. Warn-
ing: The listeners with bastion mode are supported only.
5. Click on a Create a rule checkbox if you want to set the defined actions to be executed
automatically by the scanner in the future.

6. Click Save.
Related topics:
• Creating a rule
• Creating a scanner

13.6 Managing discovered servers

Discovered, onboarded and quarantined servers are available in the main Servers view.
Discovered, onboarded and quarantined servers are available in the main Servers view.

Note: Usually, discovered servers are not onboarded automatically due to lack of rule config-
uration or assignment in scanner. Administrator can manually onboard them by choosing the
Manage servers option.

1. Select Management > Servers and respectful tab: Discovered, Onboarded or Quarantined.
2. Choose servers to be onboarded or quarantined by selecting the respective checkboxes next
to their names.
3. Click on the Manage servers option on the top of the functional menu - a modal will pop
up.

13.6. Managing discovered servers 255

Fudo Enterprise 5.4 - System Documentation

4. Choose an action:
4.1 Onboard by adding the discovered servers to specified Pool or
4.2 Quarantine and provide a reason (mandatory) to send chosen servers to quar-
antine.

5. Click Apply.
Related topics:
• Creating a rule
• Creating a scanner

13.6. Managing discovered servers 256

CHAPTER 14

Password changers

Fudo Enterprise features password changers, which enable managing credentials to privileged
accounts on monitored servers.
Password changers run on a separate transport layer: SSH, LDAP, Telnet or WinRM, and you
can either use one of the built-in ones or create your own script.
The built-in password changers cover the following scenarios:
• Unix over SSH
• MySQL over SSH
• Cisco over SSH and Telnet
• Cisco Enable Password over SSH and Telnet
• WinRM
• LDAP

14.1 Password changer policy

Password changer policy defines specifics of how frequently the password should be changed and
password complexity requirements.

257
Fudo Enterprise 5.4 - System Documentation

14.1.1 Defining a password changer policy

1. Select Management > Password changers > Password policies.

2. Click + Add.
3. Enter object name.
4. Select the Password change enabled option and specify the time interval between each
password change.
5. Select the Password verification enabled option and specify the time interval between each
password verification.
6. Define password complexity.

Parameter Description
Length Provide the number of characters comprising the password.
Small letters Select to include lowercase characters, define their minimal
number.
Capital letters Select to include uppercase characters, define their minimal
number.
Special characters Select to include special characters, define their minimal num-
ber.
Digits Select to include digits, define their minimal number.

Note: The sum of the enforced password requirements cannot be greater than the specified
password length.

7. Click Save.

14.1. Password changer policy 258

Fudo Enterprise 5.4 - System Documentation

14.1.2 Editing a password changer policy

1. Select Management > Password changers > Password policies.

2. Find and click desired object to open its configuration page.
3. Modify configuration parameters as needed.
4. Click Save.

14.1.3 Deleting a password changer policy

1. Select Management > Password changers > Password policies.

2. Find and select desired objects.
3. Click Delete.
4. Confirm deletion of selected objects.
Related topics:
• Data model
• Accounts
• Custom password changers
• Setting up password changing on a Unix system

14.2 Custom password changers

Custom password changers enable defining a set of commands executed on a remote host in case
the built-in password changers cannot handle a specific use case scenario.

Note: In cluster configuration, the node responsible for changing passwords on monitored
systems is configured in system settings. For more information refer to Password changers -
active cluster node topic.

14.2.1 Defining a custom password changer

1. Click + icon in the main menu next to the Password changers tab, or
Select Management > Password changers. Click + Add and then choose New password changer.

Note: Alternatively, you can find and click an existing password changer and click Copy to
create a new password changer based on currently opened definition.

14.2. Custom password changers 259

Fudo Enterprise 5.4 - System Documentation

2. Define the password changer’s name.

3. From the Script type drop-down list, select if the script is a password changer or password
verifier.
4. From the Connection mode drop-down list, select the transport layer.
5. In the Timeout field, define the script’s execution time limit.
6. In the Commands list section, click + to add a command.

Note: Available commands depend on selected transport layer. For more information on
connection modes, refer to the Connection modes topic.
• INPUT - command executed on target host.
• EXPECTED - output that is expected after executing a command.
• ENTER
• DELAY - delay between commands’ execution.
• DN - directory service DN (Distinguished Name) parameter.
• FILTER - directory service user filter.

Warning: To configure WinRM password changers, you need to provide user credentials
with the authority to change passwords (typically an admin-level account). However, it’s
important to avoid using this account to change its own password, as WinRM will return
an error that Fudo Enterprise cannot process. Make sure that the account_login and
transport_login variables are set to different values.

7. Enter the command or define action’s parameters.

14.2. Custom password changers 260

Fudo Enterprise 5.4 - System Documentation

Note: You can use pre-defined transport layer or user defined variables in commands.
To use or define a variable, enclose it in %% characters (e.g. %%transport_host%%,
%%custom_variable%%).

8. Repeat steps 8-10 to add more commands.

9. In the Variables section, define variables’ attributes.

Note:
• Variables can be initiated with values referenced from other objects or they can be assigned
a constant value.
• Predefine the property values so that the password changer assigned to the account during
the Discovery process will not require any additional configuration.

10. Click Save.

11. Define password change policy and assign the password changer to account.

Note: Example
In this password changer example, the password change is triggered with the passwd command
executed with sudo privileges on a host running FreeBSD operating system.
Commands list

14.2. Custom password changers 261

Fudo Enterprise 5.4 - System Documentation

Action Content Comment

1 EXPECTED Password Expected terminal output with a ‘Pass-
word’ word in it.
2 INPUT %%transport_secret%% A value of the transport_secret vari-
able is a secret for authorizing a priv-
eleged account to change the password.
3 EXPECTED \[newtd_pc@john-laptop. Expected terminal output within given
*\] regular expression.
4 INPUT sudo passwd Change password for account where
%%account_login%% account_login reflects a login of the
user, whose password is being changed.
5 EXPECTED Password Expected terminal output with ‘Pass-
word’ word in it.
6 INPUT %%transport_secret%% A value of the transport_secret vari-
able is a secret for authorizing a priv-
eleged account to change the password.
7 EXPECTED Changing local password Expected terminal output with ‘Chang-
ing local password’ phrase in it.
8 EXPECTED New Password Expected terminal output with ‘New
Password’ phrase in it.
9 INPUT %%account_new_secret%% A value of the account_new_secret
variable would be a new password.
10 EXPECTED Retype New Password Expected terminal output with ‘Retype
New Password’ phrase in it.
11 INPUT %%account_new_secret%% A value of the account_new_secret
variable would be a new password.
12 INPUT echo $?
13 EXPECTED 0

Variables

Variable name Object type Object property Encrypt

transport_method constant
transport_bind_to server_property bind_ip
transport_user account login
transport_host server_address_property host
transport_port server_property port
transport_secret account secret
transport_host_public_key
constant
account_login account login

14.2. Custom password changers 262

Fudo Enterprise 5.4 - System Documentation

14.2.2 Editing a custom password changer

1. Select Management > Password changers.

2. Click the name of desired password changer.
3. Edit selected commands.
4. Click X to remove selected command.
5. Click Save.

14.2.3 Deleting a custom password changer

1. Select Management > Password changers.

2. Select desired elements and click Delete.
3. Confirm deleting selected objects.
Related topics:
• Password changers - active cluster node
• Connection modes
• Accounts
• Password changer policy
• Setting up password changing on a Unix system

14.3 Connection modes

Connection modes specifies transport layer used in the password change process. The transport
layer determines the list of available commands and default variables.

14.3.1 SSH

SSH connection mode uses SSH protocol to establish connection with remote host.
Commands

Command Description
INPUT Command executed on target host.
EXPECTED Expected result.
ENTER
DELAY Delay between commands’ execution.

Variables

14.3. Connection modes 263

Fudo Enterprise 5.4 - System Documentation

Variable Description
transport_bind_ip Fudo IP address used to establish connection with the remote
host.
transport_host An IP address of the remote host that the password
changer/verifier connects to.
transport_host_public_key Public key of the remote host.
transport_login An account on the target system authorized to change pass-
words.
transport_method Transport layer authentication method: password or sshkey.
transport_password_promptRegular expression describing the password prompt.

Note: In case this parameter is defined as constant but the

user does not explicitly define the value after the password
changer is assigned to the account, the default string will be
used to determine the password prompt.

transport_port A port number that the password changer/verifier connects to.

transport_secret Secret used to authorize the account to execute password
change.
account_login Login of the user whose password is being changed.
account_new_secret System default variable initiated with the value automatically
generated by Fudo.

14.3.2 LDAP

LDAP transport layer runs an LDAP query to change the password property of an object defined
in the directory service.
Commands

Command Description
DN Directory service DN (Distinguished Name) parameter.
FILTER Directory service user filter.

Note: Password changers based on the LDAP transport layer can have only one command
defined.

Variables

14.3. Connection modes 264

Fudo Enterprise 5.4 - System Documentation

Variable Description
transport_base Base distinguished name.
transport_bind_ip Fudo IP address used to establish connection with the remote
host.
transport_ca_certificate CA certificate of the target system.
transport_domain Domain used to login to the target system.
transport_encoding Text encoding used by the target system.
transport_host An IP address of the remote host that the password
changer/verifier connects to.
transport_login An account on the target system authorized to change pass-
words.
transport_port A port number that the password changer/verifier connects to.
transport_secret Secret used to authorize the account to execute password
change.
transport_server_certificate Certificate of the target server.
account_domain Domain of the user whose password is being changed.
account_new_secret System default variable initiated with the value automatically
generated by Fudo.

14.3.3 Telnet

Telnet connection mode uses Telnet protocol to establish connection with remote host and
continue to communicate with the server in order to change the password.
Commands

Command Description
INPUT Command executed on target host.
EXPECTED Expected result.
ENTER
DELAY Delay between commands’ execution.

Variables

Variable Description
transport_bind_ip Fudo IP address used to establish connection with the remote
host.
transport_host An IP address of the remote host that the password
changer/verifier connects to.
transport_login An account on the target system authorized to change pass-
words.
transport_port A port number that the password changer/verifier connects to.
transport_secret Secret used to authorize the account to execute password
change.
account_login Login of the user whose password is being changed.
account_new_secret System default variable initiated with the value automatically
generated by Fudo.

14.3. Connection modes 265

Fudo Enterprise 5.4 - System Documentation

14.3.4 WinRM

WinRM transport layer uses Windows Remote Management protocol to interface with remote
operating system and facilitate password change. WinRM is compatible with Certificate Revo-
cation List (CRL) so that the used digital certificates are always up to date and valid.

Note: The default settings of WinRM Password Changer and Verifier allow changing and
verifying passwords of local users only. If the domain users should be included too, add them
to the “Allow log on locally” group so that the executing script takes domain users’ passwords
while running, too.

Commands

Command Description
INPUT Command executed on target host.
EXPECTED Expected result.
ENTER
DELAY Delay between commands’ execution.

Variables

Variable Description
transport_bind_ip Fudo IP address used to establish connection with the remote
host.
transport_ca_certificate CA certificate of the target system.
transport_encoding Text encoding used by the target system.
transport_host An IP address of the remote host that the password
changer/verifier connects to.
transport_login An account on the target system used to change passwords. It
has to be different from the account on which the password is
being changed (account_login variable).
transport_port A port number that the password changer/verifier connects to.
transport_secret Secret used to access the account to execute password change.
account_login Login of the user whose password is being changed.
account_new_secret System default variable initiated with the value automatically
generated by Fudo.

Related topics:
• Custom password changers
• Password changer policy

14.3. Connection modes 266

Fudo Enterprise 5.4 - System Documentation

• Setting up password changing on a Unix system

14.4 Setting up password changing on a Unix system

This topic contains an example of setting up password changing on a Unix system.

Adding a password change policy
1. Select Management > Password changers > Password policies.
2. Click + Add to create a new password changing policy.
3. Provide password change policy name.

Note: Provide a descriptive name so that anyone administrating Fudo Enterprise can tell
what the policy does at a glance. E.g. 10 minutes, 20 characters, special characters,
uppercase.

4. Select the Password change enabled option and define how frequently the password will be
changed.
5. Select the Password verification enabled option and define how frequently the Secret Man-
ager should verify whether the password has not been changed in any other way but the
Secret Manager itself.
6. Provide the number of characters comprising the password.
7. Select desired password complexity options and provide the minimal number of characters
for each.

8. Click Save to store password changer policy.

Assigning a password changer and a verifier to the privileged account
1. Select Management > Accounts.
2. Find and click desired account object.

14.4. Setting up password changing on a Unix system 267

Fudo Enterprise 5.4 - System Documentation

3. Click + Add password changer.

4. From the Password verifier drop-down list, select Unix/SSH changer.
5. Define the script execution time limit.
6. Review and modify default values.

Variable Value
transport_bind_ip cont_int: Any
transport_host cont_int: 10.0.0.12
transport_host_public_key cont_int: ssh-rsa AAA[...]
transport_login Enter manually: root
transport_method Enter manually: password
transport_password_prompt constant
transport_port cont_int: 22
transport_secret cont_int_mr_jenkins: *****
account_login cont_int_mr_jenkins: mr_jenkins

Note:
• Variables starting with transport_ are the transport layer variables determining connec-
tion parameters with the target host.
• Password changer variables can be assigned values manually or initiated with properties
of other objects.

7. Click + Add password verifier.

8. From the Password verifier drop-down list, select Unix/SSH changer.
9. Define the script execution time limit.
10. Review and modify default values.

Variable Value
transport_bind_ip cont_int: Any
transport_host cont_int: 10.0.0.12
transport_host_public_key cont_int: ssh-rsa AAA[...]
transport_login cont_int_mr_jenkins: mr_jenkins
transport_method cont_int_mr_jenkins: password
transport_password_prompt constant
transport_port cont_int: 22
transport_secret cont_int_mr_jenkins: *****

11. Click Save.

Related topics:
• Connection modes
• Custom password changers

14.4. Setting up password changing on a Unix system 268

CHAPTER 15

Policies

Policies are patterns definitions facilitating proactive session monitoring. In case a defined
pattern is detected, Fudo Enterprise can automatically take respective actions and notify the
administrator about the current situation.
Fudo Enterprise divides policy definition by its basis: AI module or Regular Expression:
• when the AI module option is chosen as a basis of the policy, Fudo Enterprise reacts on
reaching the specified Threat Probability Threshold,
• when the regular expression option is chosen for the policy’s base, the system analyses
the defined expression’s input or output.
Both types of policies react by taking the following actions:
• sending e-mail message,
• sending SNMP TRAP notification,
• pausing connection,
• terminating connection,
• blocking the user.

15.1 AI module-based policy

In order to configure an AI module-based policy, proceed as the following states:

1. Select Management > Policies.
2. Click Add policy.
3. Provide the Name for the policy.

269
Fudo Enterprise 5.4 - System Documentation

4. Select the actions that will be performed when the policy is breached:
• send email notification to system administrator,

Note: Sending email notifications requires configuring and enabling notification

service as well as Session AI notification enabled in safe configuration.

• send SNMP TRAP notification to the receiver,

Note: Sending SNMP TRAP notifications requires configuring the SNMPv3

TRAP in the System tab. Check the SNMP page for more information.

• pause connection,
• terminate connection,
• block user.

Warning: If SNMP TRAP service is not configured, all notifications on policy violation
will be discarded but other options related to the session management will work.

5. Select the Severity. Severity parameter value is included in the email notification message
and in the Events log with the FSW0284 code.
6. Check the AI module in the Policy type field.

15.1. AI module-based policy 270

Fudo Enterprise 5.4 - System Documentation

7. Select min, avg (default) or max option for the Threat Probability Threshold field and
provide the value.

Note: Values for the Threat Probability metrics are calculated by the AI models for each
session segment. The segment evaluations are averaged per model (e.g. Mouse Biometric,
Keyboard Biometric) creating a model Threat Probability, thus the AI model delivers one Threat
Probability per model for the whole session. These values are used in the policy and the policy
actions can be applied to the minimum, average or maximum value of model Threat Probabilities.
In practice, if an administrator wants to decrease sensitivity of the policy so that it reacts to
breaching a given threshold by all the models, the Threat Probability Threshold should be set
to minimum. If the situation requires the policy to be more sensitive and react to the threshold
breaching by at least one model, then the Threat Probability Threshold should be set to
maximum.
Default value for the Threat Probability Threshold is average.
In order to avoid an excessive number of emails and unnecessary actions, min. recommended
value is above 75%.

8. Click Save.
AI module-based policy examples
Example 1. Sending SNMP TRAP notifications about suspicious sessions.
To configure the policy to send SNMPv3 TRAP notifications about suspicious sessions, follow
the procedure:
1. Create a user for SNMPv3 service:
• Select Management > Users.
• Create a new one.
• Enter Login.
• Choose the service in the Role field.
• Select Password in the Authentication Type field and provide your password.
• In the SNMP section, define the settings:
– Enable SNMP.
– Select SHA or MD5 in the Authentication Method field.
– Select AES or DES in the Encryption field.
• Click Save.
2. Configure SNMPv3 TRAP:
• Select Settings > System
• Scroll down to the Maintenance and supervision section
• Configure the SNMPv3 TRAP server address and port
• Select the user with service role, created in step 1.
• Click Save.

15.1. AI module-based policy 271

Fudo Enterprise 5.4 - System Documentation

3. Create policy:
• Select Management > Policies.
• Click Add policy.
• Provide the Name for the policy.
• Select the SNMP TRAP option in the Actions field.
• Select AI module in the Policy type field.
• Select the option of the Threat Probability Threshold (e.g. avg) and add its value
(e.g. 90%).
• Click Save.
4. Assign the policy to a safe that is used to establish connections to servers.
• Click Save.

Example 2. Terminating suspicious sessions when the Threat Probability Threshold

is reached.
To configure the policy to terminate suspicious sessions when the Threat Probability Threshold
is reached, follow the procedure:
1. Create policy:
• Select Management > Policies.
• Click Add policy.
• Provide the Name for the policy.
• Select the Terminate session option in the Actions field.
• Select AI module in the Policy type field.
• Select the option of the Threat Probability Threshold (e.g. avg) and add its value
(e.g. 90%).
• Click Save.

15.1. AI module-based policy 272

Fudo Enterprise 5.4 - System Documentation

Note: For harsh actions like pausing or terminating a session or blocking a user it’s advised
to use higher max thresholds to minimize consequences of false positives.

2. Assign the policy to a safe that is used to establish connections to servers.

• Click Save.

15.2 Regular expression-based policy

Note: Fudo Enterprise supports POSIX extended regular expression.

Follow the steps to configure a regular expression-based policy:

1. Select Management > Policies.
2. Select Regular expressions tab.
3. Click + Add regular expression.
4. Enter pattern name.
5. Define the pattern itself.

Note:
• Patterns can be defined as regular expressions.
• Fudo Enterprise does not recognize expressions which use backslash character, e.g. \d, \D,
\w, \W.

6. Repeat steps 3-5 to define additional patterns.

7. Click Save.

15.2. Regular expression-based policy 273

Fudo Enterprise 5.4 - System Documentation

Note: Regular expressions examples

8. Select Management > Policies.

9. Click Add policy.

10. Enter policy name.

11. Select actions:
• Send email notification to system administrator,
• Send SNMP TRAP notification,
• Pause connection,
• Terminate connection,
• Block user.

Note:
• Sending email notifications requires configuring and enabling notification service as well
as Session policy match notification enabled in safe configuration.

15.2. Regular expression-based policy 274

Fudo Enterprise 5.4 - System Documentation

• Note that blocking the user automatically terminates the connection.

12. Select Regular expression in the Policy type field.

13. Select monitored patterns.
14. Select policy severity.

Note: Severity parameter value is included in the email notification message.

15. Select the Match input only option to process input stream only.

Note: In RDP, VNC and MySQL protocols only input data is processed.

16. Click Save.

17. After defining a policy, assign it to a safe that is used to establish connections to servers.

15.2. Regular expression-based policy 275

Fudo Enterprise 5.4 - System Documentation

• Artificial Intelligence
• AI sessions processing
• Safes
• Terminating connection
• Notifications
• Security

15.2. Regular expression-based policy 276

CHAPTER 16

Downloads

The Downloads tab allows for tracking the conversion progress of session recordings and files
transferred during SFTP sessions, previously selected for download.

16.1 Sessions

Fudo Enterprise allows converting stored session data to one of supported formats. The Sessions
tab is designated for managing session recordings that were previously selected for download
in Management > Sessions. For detailed instructions on how to export a session, please refer to
the Exporting sessions section of this manual.

16.2 Files

The Files tab is designated for managing the downloads of large files that originate from recorded
sessions via the SFTP protocol. If the selected file exceeds the 50 MB threshold, it undergoes
an encoding process and subsequently appears in the Files tab, ready for download. Files
smaller than 50 MB are directly downloaded through the browser without encoding.
To download a file transfered during SFTP session, users must initiate the download from the
session player interface. To view a session, proceed as follows:
1. Select Select > Sessions.

277
Fudo Enterprise 5.4 - System Documentation

2. Find desired SFTP session and click the play icon next to it.
3. In the session player window, navigate through the SFTP session history to locate the
desired file for download, then click the File button to initiate the encoding process.

Note: To ensure the download of the entire file, please use the File button.

4. Select Management > Downloads.

5. Go to the Files tab.
6. Click the Download icon to download encoded file.

Related topics:
• Exporting sessions
• Sessions

16.2. Files 278

CHAPTER 17

Account activity in the Access Gateway

Fudo Enterprise allows configuring an option to be informed about existing connection.

The Resource in use feature works while establishing connection to the target server, to which
another user is already connected via the same account. If the user continues establishing
connection, the session is terminated.

Warning: This option is available for RDP connections only.

In order enable the Resource in use option for the RDP connections, follow the instruction:
1. Select Management > Servers.
• Define filters to limit the number of objects displayed on the list, or select an RDP server
that needs to be edited right from the list.
• Check the Inform about existing connection option in the Settings section.

279
Fudo Enterprise 5.4 - System Documentation

• Click Save or Save and close.

2. Select Management > Accounts.
• Define filters to limit the number of objects displayed on the list, or select an account with
access to an RDP server that needs to be edited right from the list.
• In the Inform about existing connection field select:
– Use server settings to inherit the settings of the server, which was added to the
account in the Server section,
– Yes to enable functionality (independently from the server settings),
– No to disable functionality.

• Click Save.
Information about existing connection will be presented to the user in the Access Gateway. Here
is the default message:

280
Fudo Enterprise 5.4 - System Documentation

You can customize that message by including variables (organization, phone, name, full_name,
or email), enclosed in double %% symbols. E.g., %%email%%.
In order to do that:
1. Select Settings > Resources > User portal tab.
2. Provide a new message in the Resource in use message field.
3. Click Save.

• Creating an RDP server

• User portal login screen configuration

282
CHAPTER 18

Access requests

Granting access to the resources via the request is a basis of the Just In Time feature. A user
requests for access via the Access Gateway, and authorized administrators vote for the request’s
approval or rejection on Admin Panel.
In order to set the voting process for access to your resources, follow the procedure:
1. Select Management > Safes tab.
2. Select the safe from the list, or create a new one.
3. Check the Access request required votes option. Provide a number of the voters that will
be deciding about each request to the safe resources.

Note:
• Users with Admin role and users added as the Granted Users to the Safe are allowed to
be the voters.
• A user, who sent an access request isn’t allowed to vote for access on their own request.
Therefore, their own requests aren’t visible for them.

283
Fudo Enterprise 5.4 - System Documentation

• Having more than one voter sets a request to be accepted by more than 1 authorized person.
If one of the voters votes for rejection, the system automatically rejects the request.

4. Go to the Granted users tab and for the particular user select the Access request sent
type of notification.

Note: Notifications are set per node, according to the settings in the Notifications tab. In
case of the Access request sent type, notifications are sent from the node, on which the request
was created. More on this subject is at the Notifications page.

5. Click Save.
All the requests are available in the Management section on the Requests tab.

18.1 Awaiting requests

The Awaiting tab shows a detailed list of the requests that are waiting for a decision of the
currently logged in user. Two types of requests are available for the user who sends an access
request: immediate and scheduled.
Immediate requests can be set from now up to the next 24 hours.
When a user sends an immediate request, its access time starts when the request is accepted.
Then, the user has 24 hours to start their session. When the user starts the session, the system
counts the session time, which the user had requested, and terminates connection when the
requested session time is over. If the user does not use the access and does not connect for 24
hours after access is granted, the access becomes expired.
For the scheduled type of requests, the user chooses a time period in the future, including exact
time and date.

18.1. Awaiting requests 284

Fudo Enterprise 5.4 - System Documentation

Sending response to the request

In order to vote for approval or rejection of the request, follow the steps:
1. Select Management > Requests tab.
2. In the Awaiting tab select the request to be processed and click the Response button .
3. In the modal click the Accept or the Reject button.

Note: The Response reason field is required to activate the rejecting option.

Note:
• Users who sent the request via the Access Gateway and have their e-mail address configured
on the Admin Panel, receive notifications when their request was accepted or rejected.
• If a user is trying to connect to a server (for example, based on the SSH protocol) via
the native client option, but hasn’t sent an access request, a respective message about
authentication error is recorded into the Event logs: Unable to authenticate user:
safe requires acceptance.

18.1. Awaiting requests 285

Fudo Enterprise 5.4 - System Documentation

18.2 Active requests

The Active tab shows a list of two types of the requests: 1) requests that were accepted, and
their sessions are currently ongoing, and 2) requests that are waiting for the part of the voters.
The Votes column of the requests list shows a number of voters that the particular request needs
to be processed. Hover on its value to see the details of who had voted.
Given vote for accepted and active requests can be revoked, for example, for preventing a possible
misuse. This option is useful when the user finished their work earlier than expected, but their
request is still valid.

18.3 Archived requests

History of the processed requests is available under the Archive tab.

The Votes column of the requests list shows a number of voters that the particular request
needed to be processed. Hover on its value to see the details of who voted.

18.2. Active requests 286

Fudo Enterprise 5.4 - System Documentation

The Just in Time feature also works when there are Fudo instances connected in the cluster.
Votes and requests are replicated on nodes in the cluster.

Note: If the admin voted on more than one machine in the cluster and his decisions were
contradictory, it will be treated as a single rejecting vote and the accepting vote will be revoked.

18.3. Archived requests 287

CHAPTER 19

Sessions

Fudo Enterprise stores all recorded servers access sessions, allowing to playback, review, delete
and export to the supported video formats.
Sessions management page allows filtering stored user sessions, accessing current users connec-
tions and downloading stored sessions. It also provides status information on each session and
enables access to session sharing options.

Note: Contents of the session list depend on the logged in user’s access rights. Being able to
access a given session requires having management privileges to: server, account, user and safe
objects that were used in the given connection.

288
Fudo Enterprise 5.4 - System Documentation

Icon Description
Start session playback (applicable to sessions with the entire traffic recording op-
tion selected in connection properties).
Icon indicating that session has been timestamped.
Purpose why the user has connected to the server.
Session has been commented.
Session has been processed for full-text search purposes.
Session replication status.
Access session sharing management options.
Download session material in selected file format (applicable to sessions with either
complete or raw traffic recording option selected in connection properties).
User activity monitor (applicable to live sessions).
Username of the user for whom approved pending session.
Approve pending request.
Decline pending request.
Pending request awaiting authorization.
Element aggregating connections established within the same session.
Session excluded from the retention mechanism.
Behavioral analysis status. This is an evaluation version of the AI component.
- session under analysis, initial result - no threat.
- session under analysis, initial result - medium threat level.
- session under analysis, initial result - high threat level.
- session awaiting analysis or being initially processed.
- session not analyzed due to missing a trained model.
- session processed - no risk.
- session processed - medium threat level.
- session processed - high threat level.
- session processed - no result.

To open sessions management page, select Management > Sessions.

Note: Fudo Enterprise stores compressed session material which may result in differences
between the displayed and the actual session size.

289
Fudo Enterprise 5.4 - System Documentation

19.1 Filtering sessions

Sessions filtering allows to find desired sessions easily by limiting the number of displayed sessions
on the sessions management page.

19.1.1 Defining filters

1. Click Add Filters and select desired data type from the drop-down list.

2. Select desired values for the given filtering type parameter.

Note: Enter a string of characters to limit the number of the elements on the list. In case of
users, the elements on the list can be limited to those who have a given user role assigned or
belong to the given organization unit.

Select a previously added object to remove it from the filter.

3. Repeat steps 1 and 2 to define additional filters.

19.1. Filtering sessions 290

Fudo Enterprise 5.4 - System Documentation

Note: Only sessions which match all defined filtering parameters will be displayed.

4. Click the floppy disk button to store the filter definition.

5. Click the delete button to disable given filter.

19.1.2 Managing user defined filter definitions

Current filtering settings can be stored as a user defined filtering preset for the convinience of
the system’s administrator.
1. Define filtering options as described in the Filtering sessions section.
2. Click Add filter and select the desired filter definition.

3. Change the filtering parameters if desired.

4. Click the floppy disk button to save the filter definition, or
Click the delete icon to remove the filtering definition. Confirm deleting the selected filtering
definition.

19.1. Filtering sessions 291

Fudo Enterprise 5.4 - System Documentation

19.1.3 Full text search

Fudo Enterprise enables searching stored data to limit the number of elements on the sessions
list only to those containing the specified phrase.

Note:
• Use the Sessions search bar to search for sessions containing specific phrases, e.g. “logout”.
• Playing a session containing the specified phrase starts from the moment of its first occur-
rence.
The player allows for skipping between each occurrence of the specified phrase.

Related topics:
• System overview
• Reports

19.1. Filtering sessions 292

Fudo Enterprise 5.4 - System Documentation

19.2 Viewing sessions

Fudo Enterprise allows viewing recorded sessions as well as current user connections.
To view a session, proceed as follows.
1. Select Management > Sessions.
2. Find desired session and click the play icon next to it.

Note: Filter sessions to display only active connections:

• Click Add filter and select Active.
• Select Yes from the drop-down list.

Session player options

Note: Some options are available for live sessions only.

SSH, RDP, VNC, X11, Telnet

Note: Playing a session containing the specified phrase starts from the moment of its first
occurrence.

The player enables skipping between each occurrence of the specified phrase.

19.2. Viewing sessions 293

Fudo Enterprise 5.4 - System Documentation

Note: Click the displayed elapsed time to switch between the connections’s actual and relative
time.

Below, you will find screenshots displaying session views established using various protocols such
as HTTP, SSH, SFTP, MySQL, MSSQL and SCP.
HTTP - rendered

19.2. Viewing sessions 294

Fudo Enterprise 5.4 - System Documentation

Note: In case of rendered HTTP sessions, raw protocol data is not recorded.

19.2. Viewing sessions 295

Fudo Enterprise 5.4 - System Documentation

HTTP - raw

SSH

19.2. Viewing sessions 296

Fudo Enterprise 5.4 - System Documentation

SFTP

MySQL, MSSQL

19.2. Viewing sessions 297

Fudo Enterprise 5.4 - System Documentation

SCP

19.3 Pausing connection

In case a current user action requires analysis, the connection to the server can be paused.

Note: Pausing connection temporarily suspends data transmission. After resuming connection,
buffered user’s actions are forwarded to the server.

1. Select Management > Sessions.

2. Click Add filter and select Active.
3. Select Yes from the drop-down list.
4. Find desired session and and click the play icon to start playback.
5. Click Pause.

19.3. Pausing connection 298

Fudo Enterprise 5.4 - System Documentation

• Joining session
• Filtering session

19.4 Terminating connection

In case the administrator notices access rights misuse, Fudo Enterprise allows to terminate the
session and automatically block given user.

Note: Fudo Enterprise can automatically block user account upon detecting a defined pattern.
For more information refer to Policies.

1. Select Management > Sessions.

2. Click Add filter and select Active.
3. Select Yes from the drop-down list.
4. Find desired session and click the playback icon to start playback.
5. Click Terminate.

Note: Terminating connection automatically blocks given user.

6. Decide whether the user should remain blocked or not.

Related topics:
• Policies
• Security measures
• Joining live session
• Sharing sessions

19.4. Terminating connection 299

Fudo Enterprise 5.4 - System Documentation

• Filtering sessions

19.5 Joining live session

Fudo Enterprise allows joining an ongoing session to work simultaneously with the remote user.

Note:
• Session joining feature is supported in SSH, RDP, VNC and Telnet (excluding 5250 and
3270) connections.
• In case of cluster configurations, joining session is only possible after logging into the
administration panel on the node that handles the given access session.

To join currently established session, proceed as follows.

1. Select Management > Sessions.
2. Click Add filter and select Active.
3. Select Yes from the drop-down list.
4. Find desired session and and click the play icon to start playback.
5. Click Join.

Related topics:
• Replaying sessions
• Sharing sessions
• Filtering sessions
• Supported protocols

19.5. Joining live session 300

Fudo Enterprise 5.4 - System Documentation

19.6 Sharing sessions

Fudo Enterprise enables sharing given session with another user.

Sharing a session
To share a session, proceed as follows.
1. Select Management > Sessions.
2. Find desired session and and click the play icon to start playback.

3. Click Share.

4. Provide session availability time frame and click Confirm to generate URL.

19.6. Sharing sessions 301

Fudo Enterprise 5.4 - System Documentation

5. Copy the system generated URL and click Close.

Revoking session URL
To revoke a session URL, proceed as follows:
1. Select Management > Sessions.
2. Find desired session and click the share icon to display sessions sharing management
options.

3. Click the revoke icon to deactivate given URL.

19.6. Sharing sessions 302

Fudo Enterprise 5.4 - System Documentation

Related topics:
• Replaying sessions
• Joining sessions
• Filtering sessions

19.7 Commenting sessions

Fudo Enterprise enables adding comments and tags to recorded sessions.

Adding a comment
1. Select Management > Sessions.
2. Find desired session and click the playback icon to start playback.
3. Click Details.
4. Click the lower part of the timeline to add a comment.
5. Define time interval which applies to this comment.

Note: Click and drag either side of the tag to change the starting/ending time.

6. Add comment.
7. Click Submit.
Editing a comment
1. Select Management > Sessions.
2. Find desired session and click the playback icon to start playback.
3. Click Details.
4. Find and click desired comment.

19.7. Commenting sessions 303

Fudo Enterprise 5.4 - System Documentation

5. Click the edit icon.

6. Change the comment and Submit.
Deleting a comment
1. Select Management > Sessions.
2. Find desired session and click the playback icon to start playback.
3. Click Details.
4. Find and click desired comment.
5. Click the trashcan icon.
6. Click Delete to delete the comment.

Replying to a comment
1. Select Management > Sessions.
2. Find desired session and click the playback icon to start playback.
3. Click Details.
4. Find and click desired comment.
5. Click Reply.
6. Enter message and click Submit.
Related topics:
• Sensitive features

19.7. Commenting sessions 304

Fudo Enterprise 5.4 - System Documentation

19.8 Sessions’ retention lockdown

Data retention feature automatically deletes sessions after a specified time interval. Fudo allows
for excluding selected sessions from the retention mechanism.
Disabling retention
To disable retention for specified sessions, proceed as follows.
1. Select Management > Sessions.
2. Find and select desired sessions.
3. Click Retention.
4. Select Disable retention.

5. Click Confirm to disable retention for selected sessions.

Note: Retention locked sessions are differentiated with the status icon.

Enabling retention
1. Select Management > Sessions.
2. Find and select desired sessions.
3. Click Retention.
4. Select Enable retention.

5. Click Confirm to enable retention for selected sessions.

19.8. Sessions’ retention lockdown 305

Fudo Enterprise 5.4 - System Documentation

19.9 Exporting sessions

Fudo Enterprise allows converting stored session data to one of supported video formats.
To export a session, proceed as follows.
1. Select Management > Sessions.
2. Find desired session and click the session export icon.

3. Select the output file format.

Note: The output file format and the resolution determine conversion time and the size of the
output file.

4. Select the video resolution (not applicable to the text log file format).

Note: Autodetect option will export video in the native user’s screen resolution.

5. Click Confirm to start conversion and open the downloads page.

Note: The Downloads page enables monitoring conversion progress.

6. Find desired session and click the Download icon to download converted session material.

Related topics:
• Filtering sessions
• Sharing sessions
• Viewing sessions

19.9. Exporting sessions 306

Fudo Enterprise 5.4 - System Documentation

• Joining sessions

19.10 Deleting sessions

Note: As the session’s files and recorded videos are located in the Management > Downloads
tab, when you remove a session, the system deletes also associated files, stored in the Down-
loads > Files. Recorded movies, stored in the Downloads > Sessions tab, remain and can be
downloaded anytime.

To delete a recorded session, proceed as follows.

1. Select Management > Sessions.
2. Find and select desired session.
3. Click Delete.
4. Confirm deleting selected sessions.

Note: Fudo Enterprise can automatically delete sessions after certain time, specified by the
retention parameter. Refer to the Backups and retention topic for more on data retention.

Related topics:
• Filtering sessions
• Sharing sessions
• Viewing sessions
• Exporting sessions

19.10. Deleting sessions 307

Fudo Enterprise 5.4 - System Documentation

19.11 OCR processing sessions

Recorded RDP, VNC and rendered HTTP sessions can be processed and indexed for full-text
search purposes.

Warning: OCR processing is CPU intensive and may have negative impact on system’s
performance. It is recommended to enable it only for those accounts, which require detailed
supervision.

Automated sessions processing

To have RDP, VNC or rendered HTTP sessions automatically processed, proceed as follows.
1. Select Management > Accounts.
2. Find and click desired account.
3. Select the OCR sessions option.
4. Select the language of processed data.

5. Click Save.
Processing selected sessions
To process selected sessions, proceed as follows.
1. Select Management > Sessions.
2. Select desired sessions and click OCR.

19.11. OCR processing sessions 308

Fudo Enterprise 5.4 - System Documentation

Note: Filtering options allows for selecting processed or unprocessed objects.

3. Confirm processing selected sessions.

Related topics:
• Filtering sessions
• Accounts

19.12 Session data replication

Additionally to automated session data replication, Fudo Enterprise enables on-demand repli-
cation to Fudo Enterprise instances to which the given data is not replicated automatically.
1. Select Management > Sessions.
2. Click next to a session that you want to replicate.

3. Click Send session next to a specific cluster node to replicate session to selected Fudo
Enterprise instance

19.12. Session data replication 309

Fudo Enterprise 5.4 - System Documentation

or click Send to all nodes to replicate session to all cluster nodes.

Related topics:
• Cluster configuration
• Sessions

19.12. Session data replication 310

Fudo Enterprise 5.4 - System Documentation

19.13 Timestamping selected sessions

Note: To timestamp sessions, first you have to enable and configure the timestamping feature.
Go to Settings > Timestamping and follow the instructions in the Trusted time-stamping section.

To timestamp selected sessions, proceed as follows.

1. Select Management > Sessions.
2. Select desired sessions, click Timestamp and select Request timestamp.

3. Click Confirm.

Note: Once the timestamping option is enabled, an additional column will appear on the
session list. Timestamped sessions are marked with an active clock icon . By clicking on it,
you can view detailed timestamp information and download the signature.

19.14 Cancelling sessions timestamping

To cancel sessions timestamping, proceed as follows.

1. Select Management > Sessions.
2. Select desired sessions, Timestamp and select Cancel timestamp request.

19.13. Timestamping selected sessions 311

Fudo Enterprise 5.4 - System Documentation

3. Click Confirm.
Related topics:
• Filtering sessions
• Accounts

19.15 Approving pending user requests

In order to enable sending user requests, it’s necessary to have the Require approval option
checked in safe configuration.

Note: To receive email notifications about pending sessions, select Session awaiting approval
notification in safe configuration.

Approving user request is possible also via the Fudo Officer 1.0 application. Session await-
ing approval (push) notification should be enabled in order to see notifications about pending
requests.

19.15.1 Fudo management interface

1. Select Management > Sessions.

2. Click in a specific row
or select desired pending request and click Approve.

19.15. Approving pending user requests 312

Fudo Enterprise 5.4 - System Documentation

Related topics:
• User authentication methods and modes
• Declining pending requests
• Sessions
• Fudo Officer 1.0

19.16 Declining pending requests

In order to enable sending user requests, it’s necessary to have the Require approval option
checked in safe configuration.

Note: To receive email notifications about pending sessions, select Session awaiting approval
notification in safe configuration.

Declining user request is possible also via the Fudo Officer 1.0 application. Session await-
ing approval (push) notification should be enabled in order to see notifications about pending
requests.

19.16.1 Fudo administration interface

1. Select Management > Sessions.

2. Click in a specific row,
or select pending sessions and click Reject.

3. Optionally, enter the reason for rejecting given request.

19.16. Declining pending requests 313

Fudo Enterprise 5.4 - System Documentation

Note: Rejection reason is displayed on the session list after positioning cursor over the icon.

4. Optionally, select the option to block the user.

Note: User blocking reason will be the same as the entered session rejection reason.

5. Click Confirm.
Related topics:
• User authentication methods and modes
• Approving pending user requests
• Terminating connection
• Blocking a user
• Sessions
• Fudo Officer 1.0

19.17 AI sessions processing

Fudo Enterprise is able to detect changes in user behavior and determine if user credentials have
been compromised. It can also alert system administrator if there is an unusually high number
of connections or a particular session is longer than expected.

19.17.1 Content models

Content models process and analyze RDP and SSH sessions in order to build behavioral user
profiles. Based on these, Fudo Enterprise can detect even the slightest change in user behavior
and help prevent a security breach.
RDP content model
The RDP model is based on mouse cursor movements.
The following requirements must be met in order to produce an RDP model:
Minimum:
• 5 hours of sessions recordings per predictor,
• 5 unique predictors (e.g. users).
Optimal:
• 30 hours of sessions recordings,
• 10 unique predictors.

Note: RDP model’s quality depends on the consistency of how the user interacts with the
monitored system. If the user has used different operating systems and input devices (e.g.

19.17. AI sessions processing 314

Fudo Enterprise 5.4 - System Documentation

different mice, a trackpad or a trackball) the resulting model will not be very effective as it will
have a higher tolerance for a variety of behaviors.

SSH content model

The SSH content model is based on the keyboard input (commands).
The following requirements must be met in order to produce an SSH model:
Minimum:
• 65 sessions recorded (25 unique commands minimum),
• 5 unique predictors (e.g. users).
Optimal:
• 300 sessions recorded per predictor,
• 10 unique predictors (e.g. users).

19.17.2 Session scoring

Fudo Enterprise analyzes sessions in real-time and produces threat level scores (OK, LOW,
HIGH ) depending on how the user fares against the trained model.

Note: Sessions are processed in chunks containing a specific number of events. Processing is
done in real-time as long as there are workers available. When there are no workers available,
ongoing sessions’ parts are not analyzed.

Models are calibrated individually and session scores are presented on the session list.

Icon Description
Session under analysis, initial result - no threat.
Session under analysis, initial result - medium threat level.
Session under analysis, initial result - high threat level.
Session awaiting analysis or being initially processed.
Session not analyzed due to missing a trained model.
Session processed - no risk.
Session processed - medium threat level.
Session processed - high threat level.
Session processed - no result.

Note: When it comes to building user models, data quality is essential. If users shared login
credentials, the resulting model will be less likely to detect the variance in user behavior.

19.17. AI sessions processing 315

Fudo Enterprise 5.4 - System Documentation

Threat level popup contains information about individual Threat Probability for each model
that assessed the session. Threat probability is a percentage-wise value that reflects a threat
level of the session. The logic behind the different color icons is the following:
The icon is when Threat Probability is below 50%.
The icon is reflected when Threat Probability is above 50% but the underlying statistics of
a model indicate that it could cause a False Positive Rate over 5%. In such case a higher,
individual for each User and ML Model pair percentage threshold is derived while training to
obtain most optimal results.
The icon is when Threat Probability is above 50% and False Positive Rate would be lower
than 5%. If the False Positive Rate requirement can’t be met a higher threshold is used as
described above which the red circle is eventually used.

The Session threat probability graph displays threat probability scores for specific periods of the
session time (called segments), based on AI models prediction. A segment is a group of user’s

19.17. AI sessions processing 316

Fudo Enterprise 5.4 - System Documentation

actions, which the AI model uses for individual prediction.

Note: A session should be long enough for running prediction algorithms. Minimum duration
of the session for launching the AI model analysis is 3 segments (around 1 minute).

The graph also contains a link to the specific period of the session (segment) in the player
which allows the administrator to check the session in real time and react accordingly. The
administrator is also able to analyze the results, delivered by the AI training models and take
actions for the future sessions by adjusting settings. For example, by adding a policy to be
notified when a certain threat probability threshold is reached.

Note: The upgrading process to the Fudo Enterprise 5.3 removes session scores that were
calculated for the sessions before the upgrade and introduces a new calculating algorithm. For
the sessions before the upgrade detailed data is not available.

19.17.3 Quantitive models

Fudo keeps track of the number of sessions as well as their length. It can alert system adminis-
trator if there’s an unusually high number of connections or a particular session is suspiciously
long.
It does so by learning typical values for each user, account and server and making predictions
for every hour and weekday.
Related topics:
• Artificial Intelligence
• Sessions
• Frequently asked questions
• Policies

19.17. AI sessions processing 317

CHAPTER 20

Reports

Reporting service generates detailed statistics of users access sessions.

Full reports are generated periodically (daily, weekly, monthly, quarterly, annually) by the system
and can be accessed by users with the superadmin role assigned to them. Reports generated
periodically upon users with admin or operator requests, will include only information regarding
sessions objects which they have access permission assigned to.
In addition to the pre-defined reports, periodic reports can be also generated based on the user
defined filtering definition.
Report can also be generated on demand and include data related to specified sessions.
Predefined reports

318
Fudo Enterprise 5.4 - System Documentation

Account access re- This report contains accounts and corresponding servers and safes
port which have been accessed in the given time period.
Safe access report This report contains safes and the corresponding servers accessed in
the given time period.
Server access report This report contains servers accessed in the specified time period in
combination with safes and accounts.
Session approvals by This report contains approved 4-Eyes sessions.
user
Session sharing in- This report contains shared sessions.
vites by user
Session summary This report provides information on sessions recorded in the given
time period.
Sessions by server re- This report provides a list of recorded sessions and the server details
port for the given time period.
User access report This report contains users in combination with servers they have ac-
cessed in the specified time period along with safes, listeners and
accounts that were used to access these servers.
User activity report This report shows data about user and his actions in administration
panel - creating, removing and changing data for objects.
User privilege report This report contains users and objects that they are allowed to edit.
User report This report contains users along with their role, status, creation date,
recent login and the entity that has created the given user instance.

Subscribing to a periodic report

Subscribing cause sending the reports via e-mail, so remember to configure your SMTP server
as described on a Notifications page. To enable automatic periodic report generation for the
logged in user, proceed as follows.

Note: Periodic reports, generated upon specific user’s request, include only sessions, to which
given user has sufficient access rights.

1. Select Management > Reports.

319
Fudo Enterprise 5.4 - System Documentation

2. Click Manage subscriptions.

3. Select the report definition from the drop-down list.

Note: The list contains system pre-defined options and user defined filtering definitions.

4. Choose how often the given report should be generated.

5. Click Save.
Cancelling a periodic report subscription
To cancel a subscription to a cyclic report, proceed as follows.
1. Select Management > Reports.
2. Click Manage subscriptions.
3. Click the report definition removal icon.
4. Click Save.
Generating reports on demand
A report can be prepared for a specified subset of user sessions, determined by filtering options.
1. Select Management > Sessions.
2. Click Add filters and define filtering parameters (for more information on sessions filtering,
refer to the Sessions: Sessions filtering topic).
3. Click Generate report, to have the report generated based on the current filtering criteria.

4. Note your report’s identifier or click it to display the report.

320
Fudo Enterprise 5.4 - System Documentation

5. Select Management > Reports.

6. Find desired report and click the view icon.
7. Click the corresponding button to save the report in selected format.
Opening and downloading reports
1. Select Management > Reports.
2. Find desired report and click the view icon.

3. Click the corresponding button to save the report in selected format - CSV, PDF or HTML.
Deleting reports
1. Select Management > Reports.
2. Find, select desired reports and click Delete.
Related topics:
• Notifications
• Filtering sessions

321
CHAPTER 21

Productivity

Fudo Enterprise features a productivity analysis component which tracks users’ activities and
can provide precise information on activity and idle times.

21.1 Overview

Overview displays data on users’ activity in selected time interval.

Note: Activity rating is based on the user’s interaction with the monitored system. Fudo
Enterprise divides the time into 60 seconds long time intervals and monitors the activity within
the interval. Lack of any actions in a given time period accounts such as a non-productive time.

To view the users’ activity rundown, proceed as follows.

1. Select Management > Productivity.
2. Select the Overview tab.
3. Define the users’ list filtering.
4. Click Generate report to generate rundown of the displayed data in HTML, CSV or PDF
format.

Note: The report can be accessed in the Reports section.

322
Fudo Enterprise 5.4 - System Documentation

Related topics:
• Productivity analysis - Sessions analysis
• Productivity analysis - Comparison
• Sessions

21.2 Sessions analysis

Sessions analysis shows in detail users/organizations productivity in the given time period. The
activity threshold parameter allows identifying sessions, users and organisations which do not
exceed the required user activity rating and helps establishing the threshold value attainable for
a given number of users or sessions. Users activity rating
Users activity rating allows identifying sessions which do not exceed the required user activity
level. Further material analysis helps determining the reason for low activity in the given session
and draw relevant conclusions.

Note: The listing does not cover time periods longer than 31 days. In case the defined time
interval is longer than that, only data from the first 31 days is presented.

21.2. Sessions analysis 323

Fudo Enterprise 5.4 - System Documentation

Related topics:
• Productivity analysis - Overview
• Productivity analysis - Comparison

21.3 Activity comparison

Productivity module enables comparing users/organizations activity in given time periods.

To compare users/organizations, proceed as follows.
1. Select Management > Productivity.
2. Select the Comparison tab.
3. Select object types being compared: User or Organization.
4. Select the time interval: Month, Quarter, Half year, or Year.
5. Add objects to the comparison and define starting date for each object.

21.3. Activity comparison 324

Fudo Enterprise 5.4 - System Documentation

6. Click Confirm to compare selected objects.

Related topics:
• Productivity analysis - Sessions analysis
• Productivity analysis - Overview
• Sessions

21.3. Activity comparison 325

CHAPTER 22

Administration

This section covers Fudo Enterprise administration topics.

22.1 System

22.1.1 Date and time

System events registered by Fudo Enterprise (sessions, system log events, etc.) are timestamped.
Fudo Enterprise can obtain the time information either from an NTP server or the system clock.

Warning:
• It is strongly advised for the date and time settings to be obtained from a reliable NTP
server. Changing date and time settings manually may result in system malfunction.
• Date and time synchronization with NTP server is required in cluster configurations.

Changing date and time settings

Note: Manual time setting is disabled if there are NTP servers configured.

To change the Fudo Enterprise’s system clock settings, proceed as follows.

1. Select Settings > System.
2. Change date and time parameters in the Date and time section.

326
Fudo Enterprise 5.4 - System Documentation

3. Click Save.
Time servers configuration

Note: NTP servers ensure that the system time on all IT infrastructure devices is synchronized.
Using NTP servers guarantees that the timestamp of the recorded session matches the time
settings on the monitored server.

Adding an NTP server definition

To add an NTP server definition, proceed as follows.
1. Select Settings > System.
2. Click + in the NTP servers section to add an NTP server.
3. Enter NTP server IP address or host name.

4. Click Save.
5. Select Restart from user menu to reboot Fudo Enterprise and apply new time settings.

Note: After every change or removal of the NTP server definition, run Restart option.

22.1. System 327

Fudo Enterprise 5.4 - System Documentation

22.1.2 SSL certificates

SSL certificate allows prevent phishing attacks.

Note: Fudo requires using unencrypted keys to the certificate. In this case a user is not
obligated to input its password at every restart. Check how to decrypt a password protected
RSA private key.

Configuring SSL certificate for Fudo administration panel

1. Select Settings > System.
2. In the Fudo HTTPS certificate section, click the Browse button next to the HTTPS Cer-
tificate field and point to the location of the SSL certificate file in PEM format.
3. Click the Browse button next to the HTTPS Private Key field and point to the location
of the SSL key definition.
4. Click Save.
Configuring user portal SSL certificate
1. Select Settings > System.
2. In the Fudo HTTPS certificate section, click the Browse button next to the HTTPS Certifi-
cate field in the HTTPS certificate section and point to the location of the SSL certificate
file in PEM format.
3. Click the Browse button next to the HTTPS Private Key field and point to the location
of the SSL key definition.
4. Provide Private key passphrase.
5. Click Save.
Configuring user portal CA certificates
1. In the User portal CA certificates section, click the Browse button next to the CA certifi-
cates field and point to the location of the CA certificates. These certificates allow users
login in to the Access Gateway.
2. Click Save.
Related topics:
• Security measures
• Servers

22.1. System 328

Fudo Enterprise 5.4 - System Documentation

22.1.3 Deny new connections

Enabling this option results in a denial of all new connections requests.

Blocking new connections
1. Select Settings > System.
2. Select Deny new connections option in the User authentication and sessions section.
3. Click Save button.
Related topics:
• Network interfaces configuration

22.1.4 SSH access

SSH access option enables remote access to Fudo Enterprise for servicing and maintenance
purposes.

Note: The default port number for service access over SSH protocol is 65522.

Enabling SSH access

To enable SSH access, proceed as follows.
1. Select Settings > System.
2. Select SSH access option in the Maintenance and supervision section.

3. Click Save button.

Related topics:
• Network interfaces configuration

22.1. System 329

Fudo Enterprise 5.4 - System Documentation

22.1.5 Sensitive features

Sensitive features is a set of options enabling which requires a consent from two superadmin
users.

Note: Keystrokes are not displayed in the session player by default. Enabling keystrokes
display requires a consent from two superadmin users.

To enable sensitive features, proceed as follows.

1. Select Settings > System.

2. Select Show keyboard input in the Sensitive features section to initiate the feature.
3. Select Enable logs data removal option.
• this option is combined with Retention settings, where you can specify when
logs data should be removed.

4. Click Save.
5. Notify another system administrator that the features mentioned above have been initiated
and require a confirmation.
Related topics:
• Viewing sessions

22.1. System 330

Fudo Enterprise 5.4 - System Documentation

22.1.6 System update

Note:
• The system update process does not influence the system configuration or the session data
stored on Fudo Enterprise.
• The storage usage may temporarily increase during system update.

22.1.6.1 Updating system

Warning:
• If the upgrade package requires preparation, it is recommended to wait for the prepa-
ration process to finish. This will minimize the system’s downtime when performing
the actual upgrade.
• Before updating the system it is advised to run a preliminary check to ensure that the
current system configuration can be successfully upgraded to the new version.
• If the storage usage on the system being updated exceeds 85%, contact Fudo Enterprise
technical support before proceeding with upgrading the system.
• During the system update, all current users’ connections will be terminated. Use
the Deny new connections option in the User authentication and sessions section of
the system settings menu to limit the number of active connections before performing
system upgrade.
• After running system update, Fudo Enterprise will restart automatically. Connect the
USB flash drive containing the encryption key to the USB port before proceeding or
have the passphrase ready in case of virtual machine instance. Note that entering
incorrect passphrase will restart the machine in previous revision.
• In case of cluster configuration, upgrade slave node first and after successful upgrade,
move onto upgrading the master node.
• For clients who are upgrading from 4.x Fudo Enterprise versions, a new masterkey will
be generated during the upgrade. Users are encouraged to export and backup the newly
generated key. Refer to the Configuration encryption topic to find out more about the
system masterkey.

1. Select Settings > System.

2. Select the Upgrade tab.
3. Click Upload.
4. Browse the file system to find and upload the update image file (.upg).
5. Optionally, click Run check to verify if the current configuration and data model objects
are compatible with the new system revision.

22.1. System 331

Fudo Enterprise 5.4 - System Documentation

Note:
• Click Cancel check to stop the preliminary upgrade check.
• Click Download log to view the upgrade procedure log along with the information on how
long it will take to perform the upgrade.

6. If the upgrade requires initial preparation, click Prepare upgrade.

Note:
• Upgrade preparation minimizes the system’s downtime when running the actual update.
• Click Stop to cancel upgrade preparation. Note that the current preparation stage must
complete, thus cancelling might take a while.
• Click Start to resume upgrade preparation.

7. Click Run upgrade.

Note: In case the upgrade requires preparation, the system upgrade can be performed once the
initial preparation stage is completed. Although it is recommended to wait for the preparation
process to finish. This will reduce the downtime when running the actual system upgrade.

22.1. System 332

Fudo Enterprise 5.4 - System Documentation

8. Click Confirm to proceed with system update.

Note: If you enabled the Deny new connections option before upgrading, make sure to disable
it after restarting the system.

22.1.6.2 Restoring previous system version

In addition to the current system version, Fudo Enterprise stores the previous revision, allowing
for restoring the system to its previous state. In the event of an unsuccessful system update,
Fudo Enterprise detects the problem during system restart and restarts itself using the previous
system revision. It’s also possible to bring the previous version back to the system via the
Restart option from the options menu:

22.1. System 333

Fudo Enterprise 5.4 - System Documentation

Warning: Rollback process will result in the loss of all sessions recorded on the new
system version and any system configuration changes. All the object configura-
tions that were created, changed or recorded between the current and the previous system
versions will be deleted. This includes the password changers activity. If any passwords
were changed during the newer version’s usage, restarting Fudo will lead to lost access to
corresponding systems.

If the active version is chosen in the modal, the system will be restarted as described at the
Restart page.

22.1.6.3 Deleting upgrade snapshot

Deleting upgrade snapshot will free the storage space occupied by previous system version.

Warning: After deleting the upgrade snapshot it will not be possible to restore the system
to previous version.

1. Select Settings > System.

2. Select the Upgrade tab.
3. Click Remove upgrade snapshot.
4. Confirm deleting previous system version.
Related topics:
• System version restore
• Restarting system

22.1. System 334

Fudo Enterprise 5.4 - System Documentation

22.1.7 License

Uploading new license

To upload a new license file, proceed as follows.

Note: New license will replace existing one.

1. Select Settings > System.

2. Select the License tab.
3. Click Upload.

4. Browse the file system to find the license file and click OK to upload and replace current
license definition.
Related topics:
• System

22.1. System 335

Fudo Enterprise 5.4 - System Documentation

22.1.8 Hotfix

The Hotfix feature allows the administrator to upload a minor fix through the Fudo Admin
Panel. The fix package is delivered by the Fudo Support Team. No additional support work or
machine upgrade will be required.
The Hotfix package has Fudo Security HotFix extension (.fshf), and can be uploaded by the
administrator from the Hotfix tab:

The hotfixes cannot be removed or deinstalled as they disappear after the next upgrade.
Related topics:
• System update
• System

22.1.9 Diagnostics

System diagnostics module enables executing basic system command, such as ping, netcat or
traceroute.
To run a diagnostic utility, proceed as follows.
1. Select Settings > System.
2. Select the Diagnostics tab.
3. Find desired utility, provide necessary parameters and execute the command.

22.1. System 336

Fudo Enterprise 5.4 - System Documentation

Command/parameter Description
ldapsearch LDAP search allows querying LDAP server for objects.
Host LDAP server IP address.
Login Login of the user allowed to browse the directory.
Password Password of the user allowed to browse the directory.
Domain Directory domain to query.
Filter Objects filtering parameter.
Attributes LDAP search attributes.

Ping Ping sends a sequence of 10 ICMP packets to selected host.

Numeric output only Does not resolve host’s IP address to its mnemonic name.
Record route Enables tracking packets’ route.

netcat netcat allows establishing connection with remote host on spec-

ified port number.

host host is used to determine if the DNS server correctly resolves

mnemonic hostnames.

traceroute traceroute allows for determining packets’ route between Fudo

Enterprise and the specified host.
Do not resolve hop ad- Subsequent hop IP addresses are not resolved to mnemonic
dresses names.
Use ICMP ECHO instead Enforces traceroute to use UDP packets instead of ICMP.
of UDP datagrams
Firewall evasion mode Enforces the same port numbers for UDP and TCP packets.
Target port is not incremented with each packet sent.
Set the “don’t fragment” Disables packet fragmentation in case the packet exceeds de-
bit fined MTU (Maximum Transmission Unit) value defined for the
network. Exceeding the MTU value results in an error.

22.1. System 337

Fudo Enterprise 5.4 - System Documentation

22.1.10 Configuration encryption

The Master key enables encrypting sensitive configuration parameters, system backups and
external storage volumes. It also allows for recovering internal storage encryption key in case
the pen drives containing encryption key are lost or damaged.

Note:
• The Master key is exported to PEM format and it is encrypted with SMIME using ad-
ministrator’s public key/certificate.
• It is essential to have the Master key exported and stored in a safe location.
• In case the Master key has been compromised, you can invalidate it, which will result in
generating a new one and re-encrypting the data.

Exporting master key

1. Select Settings > System.
2. In the Maintenance and supervision click Export current key.

3. Click Choose file and browse the file system to find the certificate that will be used to
encrypt the Master key.

Note:
• Generate the keys and the CSR (Certificate Signing Request) using openssl :
openssl req -newkey rsa:4096 -keyout privkey.pem -out req.pem
openssl req -nodes -newkey rsa:4096 -keyout privkey.pem -out req.pem # Do not
prompt for a password.
• Sign the CSR:
openssl x509 -req -in req.pem -signkey privkey.pem -out cert.pem

4. Click Confirm and save the the Master key file.

Invalidating current master key

22.1. System 338

Fudo Enterprise 5.4 - System Documentation

In case the current Master key has been compromised, you can invalidate it. Invalidating the
current Master key generates a new one and triggers data re-encryption.
1. Select Settings > System.
2. In the Maintenance and supervision click Invalidate current key.

3. Confirm invalidating the current key.

4. Make sure to export the newly generated key.
Related topics:
• Security measures

22.1.11 Default domain

Note: Please remember that the functionality of the Default Domain option is closely related
to the Fudo Domain settings in the user specification.

• In case the default domain is specified and the user does not have a Fudo domain de-
fined, when logging in to Fudo Enterprise, the user can either include the domain (e.g.
john@domain) or leave it out (e.g. john).

22.1. System 339

Fudo Enterprise 5.4 - System Documentation

• If there are two users with the same login, one of which has the Fudo domain configured
the same as the default domain, and the other does not have the Fudo domain defined,
then:
– If the user provides the domain during login, Fudo Enterprise will match
the user that has the domain explicitly specified.

– In case the user does not provide the domain during login, Fudo Enterprise
will match the user that does not have the domain explicitly specified.

– If the user, which has the Fudo domain configured the same as the default
domain, will try to login without providing the domain, Fudo Enterprise
will report authentication error.
Defining default domain
1. Select Settings > System.
2. In the User authentication and sessions section, provide the default domain.
3. Click Save.
Related topics:
• Creating a user
• Users synchronization

22.1. System 340

Fudo Enterprise 5.4 - System Documentation

22.1.12 Password complexity

Fudo Enterprise enables the definition of static password complexity, allowing you to enforce
passwords that meet your internal regulations.
Defining password complexity
1. Select Settings > System.
2. In the User authentication and sessions section, select Authentication failures to set a
counter of the login failures.
3. Define the minimum number of characters.
4. Select Small letters and provide the minimal number of small letters in the password.
5. Select Capital letters and provide the minimal number of capital letters in the password.
6. Select Special characters and provide the minimal number of special characters in the
password.
7. Select Digits and provide the minimal number of digits in the password.
8. Select the Different password than current option to enforce a password different from the
current one.

9. Click Save.

Note: To enable static password complexity for a particular user, go to Management > Users,
edit desired user and select the Enforce static password complexity option in the Authentication
section.

Enabling password complexity will trigger password change for users with the Enforce static

22.1. System 341

Fudo Enterprise 5.4 - System Documentation

password complexity option enabled whose passwords do not comply with the complexity set-
tings. The password will have to be changed upon logging into the Access Gateway.

Related topics:
• Creating a user
• Users synchronization

22.1.13 Single Sign On

Single Sign On allows to automatically authenticate the user when logging into the system. Fudo
Enterprise allows to set the Single Sign On functionality for both Admin Panel and User Portal
(Access Gateway).

22.1.13.1 Setting up Fudo Enterprise for SSO

1. Set Fudo Enterprise hostname to hostname.yourdomain.local.

• Select Settings > Network configuration.
• Switch to the Name & DNS tab.
• Enter hostname.yourdomain.local in the Hostname field.
2. Configure DNS server to point to a DNS server in the yourdomain.local domain.
• Click Add new to define new DNS server.
• Enter DNS server IP address.
• Click Save.
3. Add user, that has an AD domain account.
• Set up LDAP users synchronization or
• add user account manually, with Active Directory external authentication method.

22.1.13.2 Single Sign On in Admin Panel

Warning: Single Sign On in Admin Panel is available to set for a user with superadmin
role only, and can be used by the users with operator, admin and superadmin roles.

In order to define SSO service parameters in system settings, follow the steps:
• Select Settings > System.
• In the Management SSO settings section, provide service identifier that will
match the user account with the service instance.

22.1. System 342

Fudo Enterprise 5.4 - System Documentation

• Upload the keytab file containing admin’s ID and encryption keys for encrypting
and decrypting Kerberos tickets.

• Click Save.

22.1.13.3 Single Sign On in User Portal

In order to define SSO service parameters in system settings, follow the steps:
• Select Settings > System.
• In the User portal SSO settings section, provide service identifier that will match
the user account with the service instance.
• Upload the keytab file containing user’s ID and encryption keys for encrypting
and decrypting Kerberos tickets.

• Click Save.

22.1. System 343

Fudo Enterprise 5.4 - System Documentation

22.1.13.4 Setting up domain controller

1. Add user account, which will be used by the User Portal or Admin Panel to communicate
with the yourdomain.local domain.

Note: When adding the account, enable the Password does not expire option.

2. On the DNS server add forward and reverse DNS entries for hostname.yourdomain.local.
3. Create a Kerberos ticket for Fudo Enterprise running the following command in the Pow-
ershell or CMD console:
ktpass -princ HTTP/[email protected] -mapuser
sso\username -pass password. - ptype KRB5_NT_PRINCIPAL -out hostname.yourdomain.
local.keytab

22.1.13.5 Setting up user workstations

1. Log in using credential of a user that will be connecting to servers.

2. Launch Internet Explorer.
3. Open the Internet options settings window.
4. Switch to the Security tab.
5. Select the Local intranet option and click Sites.
6. Click Advanced.
7. Add the address hostname.yourdomain.local.
8. Close settings window.
Related topics:
• Creating a user
• Users synchronization

22.1.14 Password changers - active cluster node

Active cluster node option determines the Fudo Enterprise instance responsible for changing
passwords on monitored systems.
1. Select Settings > System.
2. In the Password changers section, select the node delegated to password changing.

22.1. System 344

Fudo Enterprise 5.4 - System Documentation

3. Click Save.

Note: In case the node responsible for changing passwords fails, the task will not be automat-
ically picked up by another Fudo Enterprise instance. In order to restore automatic password
changing, the system administrator will have to change the active password changing node or
bring back the failed node.

22.1.14.1 Cluster Password Changers

Fudo Enterprise allows changing a password on a different node than the one that set as an Active
cluster node for Password changers. In order to have this configured, the following condition
should be met:
Setting up a Password Changer / Password Verifier for an account, a value for
transport_bind_ip variable should indicate the same cluster node for all password changers as
well as password verifiers.

22.1. System 345

Fudo Enterprise 5.4 - System Documentation

Related topics:
• Password changers
• Custom password changers
• Creating a regular account

22.2 Network settings

To change network settings select Settings > Network configuration.

22.2.1 Network interfaces configuration

22.2.1.1 Managing physical interfaces

Defining IP address
Defined IP addresses are physical interface’s aliases, which are used in server’s configuration
procedures (Local address field in proxy configuration).

Note: If the list of the assigned IP addresses is empty and the is no option to define an IP
address, check if given interface is a member of a bridge.

To define an IP of a physical network interface, proceed as follows.

1. Select Settings > Network configuration.
2. Click + and provide IP address and subnet mask in CIDR format.

Note: + will be inactive if the DHCP option is enabled on the given interface.

3. Choose additional options for the IP address being defined.

22.2. Network settings 346

Fudo Enterprise 5.4 - System Documentation

Enable access to administration panel on given IP address. Note that the management
IP address is also used for replicating data between cluster nodes as well as service
access over SSH protocol .

Note: The default port number for service access over SSH protocol is 65522.

Make the alias a virtual IP address which will be take over by another cluster node
in case of the master node’s failure.

Note: Cluster IP address must be added manually on every cluster node, with the
option enabled.

Enable access to User portal on given IP address.

4. Select the redundancy group that the IP address will be assigned to (applicable to virtual
IP addresses).

Note: Redundancy groups are defined in the Cluster view in the Redundancy groups tab. For
more information refer to the Redundancy groups topic.

5. Click Save.

Note: Current state of each network interface is represented with an icon.

Interface active and connected.

Interface active but disconnected.
Interface disabled.

22.2. Network settings 347

Fudo Enterprise 5.4 - System Documentation

Removing defined IP addresses

Warning: Deleting an IP address will disable access to servers which had this IP configured
in the Local address of the proxy server.

To delete an IP address assigned to a given network interface, proceed as follows.

1. Select Settings > Network configuration.
2. Select desired IP address assigned to given network interface and click x.
3. Click Save.

Disabling network interface

To disable a network interface, proceed as follows.
1. Select Settings > Network configuration
2. Click the Active icon next to given interface to deactivate it.

22.2. Network settings 348

Fudo Enterprise 5.4 - System Documentation

3. Click Save.

22.2.1.2 Defining IP address using system console

In case the web administration interface cannot be accessed, IP address can be defined using
console connection.
1. Connect monitor and keyboard to the device.
2. Enter administrator account login and press Enter.

Note: Default login credentials:

login: admin
password: proxycrypto
In cloud Fudo Enterprise versions virtual machine ID is usually set up as default password.
Please contact your Fudo Enterprise reseller to learn more.

22.2. Network settings 349

Fudo Enterprise 5.4 - System Documentation

3. Enter administrator account password and press Enter.

4. Enter 2 and press Enter to change network configuration.

5. Enter y and press Enter to proceed with resetting network configuration.

22.2. Network settings 350

Fudo Enterprise 5.4 - System Documentation

6. Enter the name of the new management interface (Fudo Enterprise web interface is acces-
sible through the management interface).

7. Enter IP address along with the network subnet mask separated with / (e.g. 10.0.0.8/24)
and press Enter.

22.2. Network settings 351

Fudo Enterprise 5.4 - System Documentation

8. Enter network gate and press Enter.

22.2.1.3 Setting up a network bridge

Bridge deployment scenario requires setting up a network bridge.

To configure a network bridge, proceed as follows.
1. Select Settings > Network configuration.
2. Click Bridge.
3. Assign network interfaces or VLANs to the bridge.

22.2. Network settings 352

Fudo Enterprise 5.4 - System Documentation

Note: Setting up a network bridge requires removing all IP addresses directly assigned to
interfaces which are selected as bridge members.

4. Enter IP address and network subnet in CIDR notation.

5. Select Spanning tree option to enable bridge loops prevention.
6. Select the Management option if the administration interface should be available under
assigned IP addresses and click Active.
7. Click Save.

22.2.1.4 Setting up virtual networks (VLANs)

VLAN networks allow separating broadcast domains.

To configure a VLAN on , proceed as follows.
1. Select Settings > Network configuration
2. Click VLAN.
3. Select the physical interface and define VLAN ID.
4. Add IP addresses to given VLAN.

Note: Select DHCP option, to obtain IP address from a DHCP server.

Note: The IP addresses are aliases to the physical interface and are used in servers configura-
tion as proxy server address.

5. Click Active to activate defined VLAN.

6. Click Save.

22.2. Network settings 353

Fudo Enterprise 5.4 - System Documentation

22.2.1.5 Setting up LACP link aggregation

Link aggregation enables combining a number of network interfaces for improved transfer rates
and implementation of failover scenarios in which the services remain available in case of a
network switch failure.
To configure a network link aggregation, proceed as follows.
1. Select Settings > Network configuration.
2. Click Link aggregation.
3. Assign network interfaces.

Note: Setting up a network bridge requires removing all IP addresses directly assigned to
interfaces which are selected as bridge members.

4. Enter IP address and network subnet in CIDR notation.

5. Choose additional options for the IP address being defined.

Enable access to administration panel on given IP address. Note that the management
IP address is also used for replicating data between cluster nodes.

Make the alias a virtual IP address which will be take over by another cluster node
in case of the master node’s failure.

Enable access to User portal on given IP address.

6. Click Save.
Related topics:

22.2. Network settings 354

Fudo Enterprise 5.4 - System Documentation

• Servers management
• Accounts

22.2.2 Labeled IP addresses

IP address labels are global configuration parameters. They are replicated throughout cluster’s
nodes, but their assignment is strictly local, applicable to each node separately. Labels enable
ensuring constant access to LDAP authentication services in case of a node failure and allow for
implementing load balancing scenarios.
Defining a labeled IP address
1. Select Settings > Network configuration.
2. Select the IP labels tab.

3. Click .
4. Provide IP address and enter label name.

Note: Label name can comprise small letters, digits, _ and - characters.

5. Click Save.
6. Use labeled IP address in listener, server or external authentication source configuration.

Related topics:
• Network interfaces configuration
• Authentication
• Servers
• Listeners

22.2. Network settings 355

Fudo Enterprise 5.4 - System Documentation

22.2.3 Routing configuration

In default configuration, Fudo Enterprise directs all incoming traffic to defined gate. Static
routing enables defining routes for packets coming from selected networks.

Note: When defining default route, enter default in the Network field.

Adding a route
To add a route, proceed as follows. There are 7 routing tables available for configuration, with
multiple routes.
1. Select Settings > Network configuration.
2. Select Routing tab.
3. Click Add route to define a new route.
4. Enter network address along with the network mask (e.g. 10.0.1.1/32) and gateway
address.
5. Click Save.

Editing a route
To edit a route, proceed as follows.
1. Select Settings > Network configuration.
2. Select Routing tab.
3. Find and edit desired route entry.
4. Click Save.
Deleting a route
To delete a route, proceed as follows.
1. Select Settings > Network configuration.
2. Select Routing tab.

22.2. Network settings 356

Fudo Enterprise 5.4 - System Documentation

3. Find desired route entry and click the delete icon.

4. Click Save.
Related topics:
• Network interfaces configuration
• Time servers configuration

22.2.4 DNS configuration

Note: DNS servers enable using mnemonic hosts names instead of IP addresses when config-
uring various network resources.

Defining domain search path

Domain search path enables convenient hosts identification based on short names. For example,
defining tech.whl as the domain search path, enables defining target host as ftp instead of
ftp.tech.whl.
To define a domain search path, proceed as follows.
1. Select Settings > Network configuration.
2. Switch to the Name & DNS tab.
3. Enter the domain search path.

Note:
• To define more than one value, enter desired values separated by space character. E.g.
tech.whl wheel.com
• Protocol implementation enables defining up to six domain search paths.

4. Click Save.
Adding a DNS server definition
To add a DNS server definition, proceed as follows.
1. Select Settings > Network configuration.
2. Switch to the Name & DNS tab.
3. Click Add new to define new DNS server.
4. Enter DNS server IP address.

22.2. Network settings 357

Fudo Enterprise 5.4 - System Documentation

5. Click Save.
Editing a DNS server definition
To edit DNS server definition, proceed as follows.
1. Select Settings > Network configuration.
2. Switch to the Name & DNS tab.
3. Find given DNS server and double-click desired field.
4. Change parameter value as needed.
5. Click Save.
Deleting a DNS server definition
To delete a DNS server definition, proceed as follows.

Note: Deleting a DNS server definition may cause interruptions in device operation, if system
configuration uses hosts names instead of IP addresses.

1. Select Settings > Network configuration.

2. Switch to the Name & DNS tab.
3. Find and select given DNS server definition.
4. Click Delete.
5. Click Save .
Related topics:
• Network interfaces configuration
• Time servers configuration

22.2.5 ARP table configuration

Note: Adding an entry to ARP table can resolve network communication issues.

Adding an ARP entry

To add an ARP entry, proceed as follows.
1. Select Settings > Network configuration.
2. Switch to the ARP table tab.
3. Click + Add to define new ARP table entry.
4. Enter IP address and corresponding MAC address.
5. Click Save.
Editing an ARP table entry
To edit an ARP table entry, proceed as follows.

22.2. Network settings 358

Fudo Enterprise 5.4 - System Documentation

1. Select Settings > Network configuration.

2. Switch to the ARP table tab.
3. Find and edit desired ARP table entry.
4. Click Save.
Deleting an ARP table entry

Note: Deleting an ARP table entry may cause system malfunction due to network communi-
cation issues.

To delete an ARP entry, proceed as follows.

1. Select Settings > Network configuration.
2. Switch to the ARP table tab.

3. Find desired ARP entry and click the icon.

4. Click Save .
Related topics:
• Network interfaces configuration
• Time servers configuration

22.3 Notifications

Fudo Enterprise can send email notifications concerning defined connections:

• access request sent,
• session awaiting approval,
• session awaiting approval(push),
• session start,
• session join,
• session leave,
• session policy match,
• session finish.
Notification service is configured when creating new or editing existing connection.

22.3. Notifications 359

Fudo Enterprise 5.4 - System Documentation

Note:
• Notifications can be received by users with operator, admin or superadmin roles.
• To receive notifications, login to Fudo Enterprise administration panel and select desired
notifications in the Safe’s configuration within Granted users tab. You need to do this
with each granted user that should receive the notification.

Email notifications service requires configuring SMTP server.

To configure SMTP server, proceed as follows.
1. Select Settings > Notifications.
2. Select Enabled option.
3. Input Fudo host address, which is a Fudo hostname or IP address that will be included in
URLs within the sent notifications.

Note: Fudo host address is an address to manage notifications from Fudo. Its variable is
required for correct configuration of the Session awaiting approval notifications. The variable is
responsible for creating a link that will be sent to the user via e-mail for accepting the session.

4. Enter configuration parameters for the Primary SMTP server and optionally for the Sec-
ondary SMTP server.

22.3. Notifications 360

Fudo Enterprise 5.4 - System Documentation

Parameter Description
Host SMTP server address, e.g. smtp.gmail.com.
Port SMTP service port number.
Bind address SMTP server IP address or interface address.
Sender email Email address from which the emails will be
sent.
Recipient The recipient of the test message.
Requires authentication Select if the SMTP server requires authenti-
cation.
User User name for authentication on SMTP
server.
Password User password for authentication on SMTP
server.
Use secure connection Select if the mail server uses TLS protocol.
(TLS ) Additionally, select Use STARTTLS option
to enable a secure connection.

Note: Click Test connection to make sure server parameters are correct.

5. Click to upload a CA certificate. Choose the value to show in SHA1 or MD5 format.
6. Click Save.
The Undelivered messages sub-tab shows a list of the notifications that weren’t delivered to
the receiver. This helps the users to diagnose the issue and fix it for the future events. The
messages here can be deleted.

22.3. Notifications 361

Fudo Enterprise 5.4 - System Documentation

22.4 Artificial Intelligence

Fudo Enterprise allows configuring model trainers and behavioral analysis models with custom
settings so that it precisely analyses your users’ behavior, detects unusual actions and marks
sessions as suspicious so that you can quickly react.
Fudo Enterprise’s AI module is a multicomponent system that needs to be set first to properly
work and deliver the best results. There are 3 things to do to use AI module as effective as
possible:
1. Configure model trainers, as described in the following section.
2. Enable AI models so that they run the behavioral analysis based on selected protocols
(SSH and/or RDP), and deliver individual statistics per model.
3. Set session Policies so that AI module can detect specific user’s behavior during a session,
react automatically, and send messages and SNMP TRAP notifications about the current
situation.
When those steps are done, you can observe:
• amount of suspicious sessions for the given period of time on the Dashboard within the
Suspicious sessions widget. The widget also provides an URL to the filtered Sessions list
with Threat level: High criteria set.
• threat levels and Threat Probability of the ongoing sessions within a graph that can redirect
to the suspicious session segment in the player.

22.4.1 Configuring models trainers

Training models requires processing power. Proper system configuration enables optimal pro-
cessing of archived sessions while preserving overall system responsiveness in handling current
user requests.
To change models trainers configuration, proceed as follows.
1. Select Settings > Artificial Intelligence > General.
2. In the Model trainer section, in the Max number of training instances field, define the
number of processes delegated to constructing user profiles.

22.4. Artificial Intelligence 362

Fudo Enterprise 5.4 - System Documentation

Note: Default value is the optimal value based on available hardware resources. The actual
number of processes cannot be higher than the number of available CPU cores.

3. From the Active cluster node dropdown list, select the node responsible for training models.
4. Select weekdays when the training will take place.
5. Set the training start time.
6. Define the timespan of the data which will be processed to create models.

7. In the Quantitive model parameters section, in the Tolerance field, define allowed delta
regarding the number of connections or the length of a single session.

Note: This parameter is used to calculate the threat risk which triggers the alert. Tolerance
value is deducted from the current connections number or the number of minutes of elapsed
session time. E.g. if the expected number of connections is 100, the current connection number
is 109 and the tolerance value is set to 10, alarm will not be triggered as the calculated value
(99) is less than the expected value.

8. In the Report threshold field, define the allowed deviation from the expected results.

Note: Report threshold is defined in % and it determines the threshold value when the alert
gets triggered on the account of too many sessions or a single connection lasting longer than
expected. E.g. with the report threshold set to 1%, the alert will be triggered if the current
number of connections has been observed before in 1% of cases.

22.4. Artificial Intelligence 363

Fudo Enterprise 5.4 - System Documentation

9. In the Session analysis section, in the Number of analyzing instances, define the number
of processes delegated to session analysis.
10. Select the threat level from the Score logging drop-down list to define what type of events
will be registered within the system log.

Note: In case the pool of available data processing processes has been exhausted, online
analysis is suspended. After the session is finished the data is picked up by the session analysis
processes.

10. Click Save.

22.4.2 Behavioral analysis models

Configuration parameters enable fine tuning behavioral models to match the specifics of your
IT environment.

Note: As of Fudo Enterprise 5.3 release, the AI module has been modified.

Warning:
• The upgrade script to the Fudo Enterprise 5.3 version or later disables all AI models
and adds new models during the upgrading process. When the process is finished, all
AI models need to be manually enabled in the Settings > Artificial Intelligence tab.
• If you have cluster configuration, it is required to update the active models on the
master node first.

There are 3 AI models that Fudo Enterprise has for the training and prediction process. They
are protocol-based, thus the models are focused on the activities that the protocols provide:
Mouse biometric Model (RDP) - AI prediction model based on mouse movements and
clicks. It works by deriving a set of over 700 distinct features associated with the way a user
operates a pointing device. Those features are used to train the model which is individually
calibrated for each user to obtain the best possible predictive value whilst minimizing the False
Positive Rate.
Keyboard biometric Model (RDP) - AI prediction model based on keyboard typing dynam-
ics. It works by deriving a set of over a 100 unique features associated with the way a user types
on the keyboard. Those features are used to train the model which is individually calibrated for
each user to obtain the best possible predictive value whilst minimizing the False Positive Rate.
Semantic Behavioral Model (SSH) model is based on the keyboard input (commands). It
works by identifying individual preferences of people to achieve the same results in different
ways. For example one person prefers to use wget over curl and vim over emacs, another person
might use a reset command to clear the terminal while someone else might have a preference
for using CTRL+L combination. Those features are not static but learned from the training data.
Additionally a set of over 600 features for different groups of characters is derived. Those features
are combined with preferences and used to train the model which is individually calibrated for
each user to obtain the best possible predictive value whilst minimizing the False Positive Rate.

22.4. Artificial Intelligence 364

Fudo Enterprise 5.4 - System Documentation

For each AI model Fudo Enterprise shows training statistics, such as:
Time spent for the last building - duration of the last building.
Amount of session segments used - number of the session segments that were used for the
last building.
Entities covered - how many users were participating in the last training session.
True Positive Rate (TPR), sometimes called Recall - is a percentage of malicious sessions
properly flagged by the model as suspicious (the higher the better).
False Positive Rate (FPR) is the percentage of legitimate sessions inappropriately identified
as malicious (the lower the better).
Area Under ROC curve (AUROC) is a single metric representing model quality (the higher
the better).
Statistics of the TPR, FPR and AUROC values are visualized in the colored bar.

Note: Model statistics appear after the model’s first training and are updated after each of
the performed training.

Related topics:
• Sessions
• AI sessions processing
• Policies

22.4. Artificial Intelligence 365

Fudo Enterprise 5.4 - System Documentation

22.5 Trusted time-stamping

A trusted timestamp makes recorded session a more convincing evidence in court.

Prerequisites
• Trusted time-stamping feature requires signing a contract with an institution providing
time-stamping services.
• Certificate and private key issued by the time-stamping service provider.
• KIR time-stamping service requires a DNS server to be configured. Refer to the DNS
configuration topic for more information on adding DNS servers.
• Fudo Enterprise must be able to reach the http://www.ts.kir.com.pl/HttpTspServer
web address in case of the KIR time-stamping service.
• Fudo Enterprise must be able to reach the 193.178.164.5 IP address in case of the PWPW
time-stamping service.
Data Transmitted to Timestamp Provider
When timestamping sessions in Fudo Enterprise, a hash is generated and sent to the timestamp
provider. This hash is composed of session data from the fudo_session table, and content from
the session’s RAW dump. It is a one-way hash, ensuring that no session details can be extracted
from it.

Note: To ensure the generation of a RAW dump, set the Session recording option in Account
settings to all or raw (refer to the Creating a regular account section to see the example).

Enabling and configuring trusted time-stamping

Note: Fudo Enterprise will time-stamp only sessions that have been completed after the
time-stamping feature was enabled.

1. Select Settings > Trusted Timestamping.

2. Select Enabled option.
3. Select from the Provider drop-down list the institution providing trusted time-stamping
services.
4. Provide the certificate and the private key of the time-stamping service.

Note: You should receive these information from your time-stamping service provider.

5. Click Save.

22.5. Trusted time-stamping 366

Fudo Enterprise 5.4 - System Documentation

22.6 Certificate-based authentication scheme

Fudo Enterprise allows authenticating with certificate, complied with PIV standards.
In order to configure authentication method Certificate, proceed as follows:
1. Select Settings > System
2. In the General tab, under the User CA certificates section upload a file with CA certifi-
cate(s) in PEM format.

Note: Fudo Enterprise supports a multiple-domain configuration. For such configuration, the
administrator has to upload a PEM file that consists of root/intermediate certificates from all
the CAs. The Subject field should be unique for each user.

3. Click Save.
4. Go to Management > Users and edit the user, for whom you want to set authentication
method Certificate, or create a new user by selecting Management > Users and then
clicking + Add user.
5. In the Authentication section select Certificate type from the Add authentication method
drop-down list.

22.6. Certificate-based authentication scheme 367

Fudo Enterprise 5.4 - System Documentation

6. Provide Subject and click Save.

Note: The subject must comply with the RFC 2253 or RFC 4514 requirements.

7. Click Save to save changes in the user definition.

22.7. Authentication 368

Fudo Enterprise 5.4 - System Documentation

22.7.1 External authentication server definition

To add an external CERB, Radius, Active Directory or LDAP authentication server, proceed as
follows.
1. Select Settings > Authentication.
2. Click + Add an external authentication source.
3. Select authentication service type: CERB, Radius, Active Directory or LDAP.
4. Provide configuration parameters depending on selected external authentication system
type.
5. Click Save.

Parameter Description
CERB
Host Server’s IP address.
Port Port used to establish connections with given server.
Bind address IP address used for sending requests to given host.
Service CERB service used for authenticating Fudo Enterprise users.
Secret Secret used to establish server connection.
Second factor Additional verification step with authentication methods OATH, SMS
or DUO.
RADIUS
Host Server’s IP address.
Port Port used to establish connections with given server.
Bind address IP address used for sending requests to given host.
NAS ID RADIUS server NAS-Identifier parameter.
Secret Secret used to establish server connection.
Repeat secret Repeat secret used to establish server connection.
Second factor Additional verification step with authentication methods OATH, SMS
or DUO.
LDAP
Host Server’s IP address.
Port Port used to establish connections with given server.
Bind address IP address used for sending requests to given host.
Bind DN Template containing a path which will be used to create queries to
LDAP server.
Encrypted connec- This option is required to be checked for the domain users who change
tion their passwords in the Access Gateway.
Server certificate LDAP server certificate.
Second factor Additional verification step with authentication methods OATH, SMS
or DUO.
Active Directory
Host Server’s IP address.
Port Port used to establish connections with given server.
Bind address IP address used for sending requests to given host.
Active Directory do- Domain which will be used for authenticating users in Active Direc-
main tory.
Continued on next page

22.7. Authentication 369

Fudo Enterprise 5.4 - System Documentation

Table 1 – continued from previous page

Parameter Description
Encrypted connec- This option is required to be checked for the domain users who change
tion their passwords in the Access Gateway.
Server certificate Active Directory server certificate.
Login The privileged account’s login name to modify a user password on the
Active Directory server.
Secret Secret used to establish server connection to modify a user password
on the Active Directory server.
Repeat secret Secret used to establish server connection to modify a user password
on the Active Directory server.
Second factor Additional verification step with authentication methods OATH, SMS
or DUO.

Warning: When additional authentication method (OATH, SMS or DUO) is selected as a Sec-
ond factor for synchronization with External authentication server (AD / LDAP / CERB
/ RADIUS), it won’t be enough to just select one of the External authentication server
source within the User definition. The additionally selected authentication method should
be configured within the User definition as a primary authentication method. Then users’
authentication methods will be automatically synchronized according to External authenti-
cation server settings.

Note: Please note that when configuring Radius authentication within Fudo Enterprise,
only the Password Authentication Protocol (PAP) is supported. It’s important to ensure
that your Radius server is configured to accept PAP requests to guarantee compatibility and
successful authentication with Fudo Enterprise.

Note:
• The Active Directory external authentication method uses the Kerberos protocol as the
first step.
• This functionality is enabled by default.
• To disable the Kerberos authentication option globally, select Settings > System, go to User
authentication and sessions section and deselect Kerberos authentication enabled option.

22.7. Authentication 370

Fudo Enterprise 5.4 - System Documentation

• If enabled, Kerberos is used in RDP sessions authentication against the server and the
Active Directory external authentication method.

Note: In case of cluster configuration, select a labeled IP address from the Bind address
drop-down list and make sure that other nodes have IP addresses assigned to this label. For
more information refer to the Labeled IP addresses topic.

22.7.2 OATH authentication definition

Refer to the Two-factor OATH authentication with Google Authenticator page.

22.7.3 SMS authentication definition

1. Select Settings > Authentication.

2. Choose SMS Authentication tab.

• Input Token length.

22.7. Authentication 371

Fudo Enterprise 5.4 - System Documentation

Note: The token’s length should be in the range of 4-16.

• Input Account ID.

• Input Product token.
• Input API address and its port.

Note: The values for Account ID, Product token and API address are given by CM.COM
service. You need to have a registered account there to be able to obtain the required information.

• Select the Bind address.

3. Click Save.
Configure SMS authentication method for the User:
4. Go to Management > Users.
5. Find and select the user for whom you want to enable SMS authentication.
• Input a phone number in the User data tab, in the Phone input field.

• In the Settings tab, under the Authentication section choose SMS type from the Add au-
thentication method drop-down list.

22.7. Authentication 372

Fudo Enterprise 5.4 - System Documentation

• Choose Static password or External authentication (AD or LDAP) as a First factor.

• Provide static password or external authentication source.
• Select Required password change on next login option if needed.
6. Click Save.
7. Log in to the Access Gateway with SMS code.

22.7.4 DUO authentication definition

1. Download and install Duo Mobile phone application.

2. Sign up for a personal account on Duo Security.
3. Select Settings > Authentication.
4. Choose DUO Authentication tab.

5. Input from the personal Duo Security profile: API address, Integration key and Secret key.
6. Select the Bind address.
7. Click Save.
Configure DUO authentication method for the User:
8. Go to Management > Users.
9. Find and select the user for whom you want to enable DUO authentication.

• In the Settings tab, under the Authentication section choose DUO type from the Add au-
thentication method drop-down list.

22.7. Authentication 373

Fudo Enterprise 5.4 - System Documentation

• Choose Static password or External authentication (AD or LDAP) as a First factor.

• Provide DUO User.
• Provide DUO User Id.
10. Click Save.
11. Log in to the Access Gateway by tapping Accept on push notification from Duo Mobile
application.

22.7.5 OpenID Connect authentication definition

This authentication method is configured globally and is not tied to any particular user. Thus
even if a user has no authentication methods configured, they can authenticate using OpenID
Connect in Access Gateway and Admin Panel.
Follow the steps to configure the OpenID Connect authentication method:
1. Select Settings > Authentication.
2. Choose OpenID Connect authentication tab.
3. Click Add an external authentication source.
4. Check the Enabled option to globally enable OpenID Connect authentication.
5. Provide Name (Azure, Okta or any other Identity Provider).
6. Input Configuration URL.

Note: This URL is specific for every Identity Provider and allows identifying one for correct
configuration. Example of Configuration URL for Google: https://accounts.google.com/.
well-known/openid-configuration.

7. Provide Client ID, Client secret. Those values are available after the registration on se-
lected provider.
8. Add Username mapping and Email mapping. Those fields are useful when user’s name
has different naming convention.
9. Provide Bind address.

22.7. Authentication 374

Fudo Enterprise 5.4 - System Documentation

10. Click Save.

Note: The algorithm to determine the user’s identity is following:

1. The user is initially identified using the sub claim from the OpenID Connect (OIDC)
provider.
2. If the user is not identified using the sub claim from the OIDC provider, the next step
involves checking the autolink setting for the OIDC provider. If this setting is false, the
process concludes without finding the user. However, if the autolink setting is true, the
search process continues.
3. If Username mapping is defined, a search for a corresponding claim in the data is con-
ducted. Once the claim is located in the JSON data, the system then looks for the user
with that name.
4. If Username mapping is not defined, the claim is not found in the data or the user is not
found by name, the next step is to verify if Email mapping is defined. If it is defined and
exists in JSON data, the process then tries to identify the user based on this email.
5. When neither Username mapping nor Email mapping is defined, the system will seek
to identify the user by their name or email. This is done by searching for the upn or
unique_name claims within the data, in this specified order.
6. When the email claim is used for user identification, it is mandatory for the
email_verified field to be included in the data and set to true.
7. The last step checks if the found user has a sub claim stored already, but different from
the one received from the OIDC provider. If they don’t match, it fails.
8. The received user sub claim is stored in the database for future use.

11. Log in using the defined authentication method:

22.7. Authentication 375

Fudo Enterprise 5.4 - System Documentation

Related topics:
• User authentication methods and modes
• OpenID Connect authentication definition with Azure
• System overview
• Integration with CERB server

22.8 External passwords repositories

Fudo Enterprise supports external passwords repositories for managing passwords to monitored
servers.

22.8.1 CyberArk Enterprise Password Vault

Deprecated since version 5.4

• Fudo Enterprise 5.4 is the last version supporting CyberArk Enterprise Password Vault.
The support will be removed in the next release.
• Users using this integration need to migrate to CyberArk Credential Provider external
repository.

Adding a new passwords repository

1. Select Settings > External passwords repositories.
2. Click + Add server.
3. Select CyberArk Enterprise Password Vault from the Type drop-down list.

22.8. External passwords repositories 376

Fudo Enterprise 5.4 - System Documentation

4. Specify object’s name.

5. Provide the URL to the passwords server’s API.
6. Enter user login allowed to access passwords repository.
7. Provide user password in the Password and Repeat password fields.
8. Provide application identification.
9. Define the account format string.
10. Click Save.
11. Assign external password repository to an account.
• Select Management > Accounts.
• Browse objects and click an account to access the settings form.
• In the Credentials section, select password from external repository from the
Replace secret with drop-down list.
• From the External passwords repository select one of the previously defined
password repository.

• Click Save.
Editing a passwords repository
To edit a passwords repository definition, proceed as follows.
1. Select Settings > External passwords repositories.
2. Find the repository definition and change its configuration as desired.
3. Click Save.
Deleting a passwords repository
To delete a passwords repository definition, proceed as follows.
1. Select Settings > External passwords repositories.
2. Find desired repository definition and select the Delete option.
3. Click Save.

Note: You cannot delete password repository definition if it is assigned to any account.

Related topics:
• User authentication methods and modes

22.8. External passwords repositories 377

Fudo Enterprise 5.4 - System Documentation

• System overview
• Integration with CERB server

22.8.2 CyberArk Credential Provider

Adding a new passwords repository

1. Select Settings > External passwords repositories.
2. Click + Add server.
3. Select CyberArk Credential Provider from the Type drop-down list.
4. Specify object’s name.
5. Provide the URL to the passwords server’s API (HTTP or HTTPS).
6. Provide application identification (Application ID).
7. Provide Safe (optional). If Safe is not defined, the search will be performed across all
CyberArk safes.

Note: The search for a given server/account is performed based on the following attributes
from the CyberArk Credential Provider, which must be set up according to the rules below:
• Address - has to match exactly with Fudo server’s IP address (required),
• UserName - has to match exactly with Fudo account’s Login (required) - please refer to
Creating a regular account topic,
• Safe - has to match exactly with external password repository Safe field (optional).

8. When used client certificate authentication Identity certificate and Identity key fields has
to be defined.

Note: Identity certificate and Identity key fields must be filled using PKCS #8 format. To
learn how to generate Identity certificate and Identity key please follow the next section.

9. If HTTPS URL to the passwords server’s API was used, provide HTTPS server certificate
in SSL certificate field.

Warning: If the HTTPS protocol is used without providing an SSL Certificate, the SSL
connection will not undergo verification and will be accepted.

10. Click Save.

11. Assign external password repository to an account.
• Select Management > Accounts.
• Browse objects and click an account to access the settings form.
• In the Credentials section, select password from external repository from the
Replace secret with drop-down list.

22.8. External passwords repositories 378

Fudo Enterprise 5.4 - System Documentation

• From the External passwords repository select one of the previously defined
password repository.

• Click Save.
Generating ‘CyberArk Credential Provider’s‘ client certificate authorization
1. Generate random Serial Number (e.g. 11223344556677) that will be used by CyberArk to
verify the client.
2. Generate client.key and client.crt files using openssl. Example:

openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -subj "/C=PL/ST=Mazowieckie/
˓→L=Warsaw/OU=MyApp/CN=client" -set_serial "11223344556677" -keyout client.key -out␣
˓→client.crt

3. Paste the content of the file client.crt in Identity certificate field.

4. Paste the content of the file client.key in Identity key field.
5. Add client serial number to CyberArk server authentication configuration.
Editing a passwords repository
To edit a passwords repository definition, proceed as follows.
1. Select Settings > External passwords repositories.
2. Find the repository definition and change its configuration as desired.
3. Click Save.
Deleting a passwords repository
To delete a passwords repository definition, proceed as follows.
1. Select Settings > External passwords repositories.
2. Find desired repository definition and select the Delete option.
3. Click Save.

Note: You cannot delete password repository definition if it is assigned to any account.

Related topics:
• User authentication methods and modes
• System overview
• Integration with CERB server

22.8. External passwords repositories 379

Fudo Enterprise 5.4 - System Documentation

22.8.3 Thycotic Secret Server

Adding a new passwords repository

1. Select Settings > External passwords repositories.
2. Click + Add server.
3. Select Thycotic Secret Server from the Type drop-down list.
4. Specify object’s name.
5. Provide the URL to the paswords server’s API.

Note: Specify HTTPS protocol within the URL so that communication with the server is
encrypted.

6. Enter user login allowed to access passwords repository.

7. Provide user password in the Password and Repeat password fields.
8. Define secret string format used for identifying objects on Thycotic Secret Server.
9. Click Save.
10. Assign external password repository to an account.
• Select Management > Accounts.
• Browse objects and click an account to access the settings form.
• In the Credentials section, select password from external repository from the
Replace secret with drop-down list.
• From the External passwords repository select one of the previously defined
password repository.

22.8. External passwords repositories 380

Fudo Enterprise 5.4 - System Documentation

1. Select Settings > External passwords repositories.

2. Find desired repository definition and select the Delete option.
3. Click Save.

Note: You cannot delete password repository definition if it is assigned to any account.

Related topics:
• User authentication methods and modes
• System overview
• Integration with CERB server

22.8.4 Local Administrator Password Solutions (LAPS)

Active Directory/LDAP configuration

The LDAP server should have specified attributes that fall within the computer objectClass:
• dNSHostName - server name - must be identical with server’s unique name specified when
creating the server (refer to section about servers creation, ex. Creating a TCP server ),
• sAMAccountName - login name in that server - must be identical with account’s Login from
Credentials section (refer to Creating a regular account section),
• ms-Mcs-AdmPwd - password in plain text,
• ms-Mcs-AdmPwdExpirationTime - password expiration date (optional).
Adding a new passwords repository

Note: In order to add LAPS password repository in Fudo Enterprise you have to provide
following AD/LDAP parameters:
• URL to AD/LDAP server, e.g., ldaps://10.10.1.1:636/,
• Base DN to AD/LDAP server, e.g., dc=company,dc=com,
• Login and password to AD/LDAP server, e.g., cn=admin,dc=company,dc=com,
• CA Certificate to validate SSL connection to AD/LDAP server.

1. Select Settings > External passwords repositories.

2. Click + Add server.
3. Select Local Administrator Password Solutions (LAPS) from the Type drop-down list.
4. Specify object’s name.
5. Provide the URL to the paswords server’s API.

Note: Supported URL formats:

• ldap://<serer>[:<port>]/ - for connection using plain TCP (without encryption);

22.8. External passwords repositories 381

Fudo Enterprise 5.4 - System Documentation

• ldaps://<serer>[:<port>]/ - for connection over SSL.

6. Enter user login allowed to access passwords repository.

7. Provide user password in the Password and Repeat password fields.
8. Provide Base DN to AD/LDAP server.
9. Provide SSL certificate - if LDAPS URL was specified in URL field.

Warning: If the LDAPS protocol is used without providing an SSL Certificate, the SSL
connection will not undergo verification and will be accepted.

10. Click Save.

• Click Save.

Note: The search for a given server/account is performed based on the following attributes
from the LAPS, which must be set up according to the rules below:
• dNSHostName - server name - has to match exactly with Fudo server’s unique name specified
when creating the server (refer to Creating a TCP server section),
• sAMAccountName - login name in that server - has to match exactly with account’s Login
from Credentials section (refer to Creating a regular account section).

Editing a passwords repository

To edit a passwords repository definition, proceed as follows.
1. Select Settings > External passwords repositories.
2. Find the repository definition and change its configuration as desired.
3. Click Save.

22.8. External passwords repositories 382

Fudo Enterprise 5.4 - System Documentation

Deleting a passwords repository

To delete a passwords repository definition, proceed as follows.
1. Select Settings > External passwords repositories.
2. Find desired repository definition and select the Delete option.
3. Click Save.

Note: You cannot delete password repository definition if it is assigned to any account.

Related topics:
• User authentication methods and modes
• System overview
• Integration with CERB server
Related topics:
• User authentication methods and modes
• System overview
• Integration with CERB server

22.9 Resources

22.9.1 RDP/VNC login screen configuration

Fudo Enterprise enables customizing RDP, SSH and VNC login screen.

22.9. Resources 383

Fudo Enterprise 5.4 - System Documentation

RDP login screen customization

1. Select Settings > Resources.
2. Select the Protocols tab.
3. In the RDP section, click Choose File button and select desired image.

Note: Maximum image size is 512 x 512 px.

4. Input Global announcement text as a message to be appeared on login screen.

Note: Login screen announcement can be four lines, up to 120 characters.

22.9. Resources 384

Fudo Enterprise 5.4 - System Documentation

5. Click Save.
SSH login screen customization
1. Select Settings > Resources.
2. Select the Protocols tab.
3. In the SSH section, input Global announcement text as a message to be appeared on login
screen.

Note: Login screen announcement can be four lines, up to 120 characters.

4. Click Save.
VNC login screen customization
1. Select Settings > Resources.
2. Select the Protocols tab.
3. In the VNC section, click Choose File button and select desired image.

Note: Maximum image size is 512 x 512 px.

4. Input Global announcement text as a message to be appeared on login screen.

Note: Login screen announcement can be four lines, up to 120 characters.

22.9. Resources 385

Fudo Enterprise 5.4 - System Documentation

5. Click Save.
Related topics:
• Quickstart - RDP

22.9.2 User portal login screen configuration

Fudo Enterprise enables customizing information displayed on the User portal login screen.
1. Select Settings > Resources.
2. Select the User portal tab.
3. In the User Portal login screen logo section, click Choose file, browse the file system and
select a custom logo for the User portal login screen.

Note: Maximum image size is 5 MB.

4. Provide company information.

Note: Company information can be five lines, up to 70 characters.

22.9. Resources 386

Fudo Enterprise 5.4 - System Documentation

5. Enter help desk contact information.

Note: Helpdesk contact information can be five lines, up to 70 characters.

6. Provide the login screen announcement.

Note: Login screen announcement can be four lines, up to 120 characters.

22.9. Resources 387

Fudo Enterprise 5.4 - System Documentation

7. Provide information in the Resource in use message field. This information will be dis-
played to the user in the User Portal (Access Gateway) when trying to connect to the
target server, another user will be already connected to that server via the same account.

Note: You can customize this message by including variables (organization, phone, name,
full_name, or email. ), enclosed in double %% symbols. E.g., %%email%%.

Warning: Resource in use feature is available for RDP connections only and can be
configured while Creating an RDP server by checking the Inform about existing connection
option.

8. Click Save.
Related topics:
• User Portal (Access Gateway)

22.10 System version restore

In the case there is a problem with the current system revision, it is possible to restore the
system to its previous version.

Warning: Restoring the system to the previous version will bring back the system’s state
prior the update. Session data and configuration changes in the current system revision
will be lost. This includes the password changers activity. If any passwords were changed
during the newer version’s usage, restarting Fudo will lead to lost access to corresponding
systems.

To restore the system to the previous revision, proceed as follows.

1. Connect one of the USB flash drives containing the encryption key.
2. Select Restart from user options menu.

3. Select the previous system revision to be loaded after restarting the system.

22.10. System version restore 388

Fudo Enterprise 5.4 - System Documentation

Note: Current system version is selected by default.

4. Click Confirm to proceed with restarting the system to the selected revision.

Warning: Restrating the system will terminate all current users’ connections.

Related topics:
• System initiation
• System update

22.11 System restart

Note:
• System restart requires USB flash drive with the encryption key connected to the device.
• Restarting the system will terminate all current users’ connections.
• Use the Deny new connections option in the Sessions section in the system settings menu.

1. Connect one of the USB flash drives containing the encryption key.
2. Select Restart from user options menu.

3. Select the previous system revision to be loaded after restarting the system.

Note: Current system version is selected by default.

22.11. System restart 389

Fudo Enterprise 5.4 - System Documentation

during the newer version’s usage, restarting Fudo will lead to lost access to corresponding
systems.

4. Click Confirm to proceed with restarting the system to the selected revision.
Related topics:
• System initiation
• System version restore

22.12 SNMP

Fudo Enterprise’s status can be monitored over SNMPv3 protocol.

22.12.1 Configuring SNMP

1. Select Settings > System.

2. Select SNMPv3 option in the Maintenance and supervision section.
3. From the IP address drop-down list select IP address, which will be used for SNMP
communication.
4. Click Save.
5. Select Management > Users.
6. Click + Add user.
7. Enter user name and select Service from the Role drop-down list.

Note: SNMP configuration is available only for user with the Service role.

8. Fill in the rest of the parameters if needed.

9. Click Save to create the user and to be able to assign authentication methods.
10. Select Static password from the Authentication drop-down list and enter the password
string.

Note:
• SNMP user password must be at least eight characters long.
• SNMP service authenticates the service account using the first defined password.

11. Go to the More tab, and in the SNMP field, click Enabled option to use SNMP.
12. Select SHA or MD5 from the Authentication method drop-down list.
13. Select AES or DES from the Encryption method drop-down list.
14. Click Save.

22.12. SNMP 390

Fudo Enterprise 5.4 - System Documentation

22.12.2 Configuring SNMPv3 TRAP

On Policies violation, Fudo is able to send a SNMPv3 TRAP,

fudoPolicyViolationNotification with information containing during which session
which user violated which policy. For more details check Fudo’s MIB definition in the following
section.
To configure SNMP TRAPs, the administrator has to configure the service in the System settings
and enable it for a particular policy.
To configure the policy for sending SNMPv3 TRAP notifications about suspicious sessions, follow
below procedure:
1. Select Management > Users.
2. Click + Add user.
3. Enter user name and select Service from the Role drop-down list.

Note: SNMP configuration is available only for user with the Service role.

4. Fill in the rest of the parameters if needed.

5. Click Save to create the user and to be able to assign authentication methods.
6. Select Static password from the Authentication drop-down list and enter the password
string.

Note:
• SNMP user password must be at least eight characters long.
• SNMP service authenticates the service account using the first defined password.

7. Go to the More tab, and in the SNMP field, click Enabled option to use SNMP.
8. Select SHA or MD5 from the Authentication method drop-down list.
9. Select AES or DES from the Encryption method drop-down list.
10. Click Save or Save and close.
11. Go to Settings > System
12. Scroll down to the Maintenance and supervision section and select the SNMPv3 TRAP
option.
13. Configure the SNMPv3 TRAP Server address and Port
14. Select previously created user.
15. Click Save.

22.12. SNMP 391

Fudo Enterprise 5.4 - System Documentation

As Fudo Enterprise uses SNMPv3 for sending TRAPs, the manager software (such as snmptrapd
from Net-SNMP ) has to know the user’s name and password.

Note: The fudoPolicyViolationNotification TRAP contains Fudo object identifiers:

sessionId, userId and policyId. As all identifiers in Fudo Enterprise are 64-bit integers
and SNMP doesn’t support 64-bit integers natively, those ids are encoded as big-endian 8-byte
arrays.

22.12.3 SNMP MIBs

Fudo Enterprise supports following MIBs:

• MIB-II (RFC 1213)
• HOST-RESOURCES-MIB (RFC 2790) - partly supported
• UCD-SNMP-MIB.

22.12.4 Getting SNMP readings using snmpwalk

Note: Getting SNMP readings requires installing Net-SNMP 5.7.3.

Fetching all SNMP information

snmpwalk -v3 -u "${SNMP_USER}" -a SHA -A "${SNMP_PASSWORD}" -x AES -X
"${SNMP_PASSWORD}" -l authPriv "${FUDO_IP}" .1
Fetching specific SNMP information
snmpwalk -v3 -u "${SNMP_USER}" -a SHA -A "${SNMP_PASSWORD}" -x AES -X
"${SNMP_PASSWORD}" -l authPriv "${FUDO_IP}" .1.3.6.1.4.1.24410

22.12. SNMP 392

Fudo Enterprise 5.4 - System Documentation

Data specifier Description

.1.3.6.1.4.1.24410.1.1.1 Disk status (ZFS status)
.1.3.6.1.4.1.24410.1.1.2 Power supply status

Note: This feature is not supported on all

Fudo Enterprise units. Contact technical sup-
port for more information.

.1.3.6.1.4.1.24410.1.1.3 CPU temperatures

.1.3.6.1.4.1.24410.1.1.4 S.M.A.R.T status

22.12.5 Fudo Enterprise specific SNMP extensions

Overview
Extensions enable monitoring the number of active sessions, ZFS status, PSU status (if avail-
able), CPU temperature on all cores, S.M.A.R.T status such as temperature, health or reallo-
cated sectors.
MIB specification file
MIB specification files (Fudo Security Common MIB and Fudo Security PAM MIB) are available
for downloading at the Settings > System in the Maintenance and supervision section:

Related topics:
• Security measures
• Troubleshooting
• Policies

22.12. SNMP 393

Fudo Enterprise 5.4 - System Documentation

22.13 Backup and retention

22.13.1 System backup

Warning: Data backup contains confidential information.

Fudo allows configuring multiple backup target destinations, where data can be stored. Each
backup target can have S3, Backblaze, FTP, or SFTP as a destination place.
To enable automated backups service, proceed as follows.
1. Select Settings > Backup and retention.
2. Select Backup enabled option. Please note that in case of the configured cluster, this option
enables backup for the current node only.
3. Click +Add target in order to add your future backup target place.
4. Set a name for your backup target.
5. Select a type: S3, Backblaze, FTP or SFTP.
6. Provide additional data depending on the selected connection type:
• With S3 type chosen, provide additionally: Bucket, Directory, Access key, Secret Access
key, Region and Endpoint.
• Configuring a Backblaze backup target, provide: Bucket, Directory and credentials, such
as Account and Key.
• For FTP type backup target provide: Directory, Server address and credentials, such as
Username and Password.
• For SFTP type backup target provide: Directory, Server address, Username, User private
key, Server public key and Port number.

7. Click Save.
Now, the configured Backup target can be added to the Safe settings to enable automatic storing
the sessions and safe data in the defined target place.

22.13. Backup and retention 394

Fudo Enterprise 5.4 - System Documentation

Sessions data that was sent to the backup target place is assigned with the respective icon on
the Sessions list.

If the session has its backup version stored outside of Fudo Enterprise, it can be downloaded
from the backup place to the Fudo Enterprise local instance with the Restore option.

Restoring system from backup

System restore service is provided by the technical support department on terms agreed in the
SLA.

22.13. Backup and retention 395

Fudo Enterprise 5.4 - System Documentation

Related topics:
• Exporting/importing system configuration
• Security measures
• Creating a new safe

22.13.2 Data retention

Fudo Enterprise supports two data retention scenarios depending on the availability of external
storage:
• Two-steps retention: Initially, data is transferred from the internal storage to external
storage connected via a fiber channel interface. After defined time period session data
is automatically deleted.
• One-step retention: If external storage is not used, sessions will be immediately deleted
from Fudo Enterprise.
For more information on configuring the external storage, see the External storage chapter.

Note: Sessions which have been exported and the content is still available for download, will
not be deleted automatically. These sessions must be either deleted manually or you must delete
the exported material in the Downloads section for the retention mechanism to delete those
session.

Enabling data retention

To enable data retention service, proceed as follows.
1. Select Settings > Backup and retention > Retention.
2. Select Remove session data option in the Data retention section to have the data auto-
matically removed after specified time period.
3. Define how long data will be stored before being removed.
4. Select Remove debug logs option in the Logs retention section to have the debug logs
automatically removed after specified time period.
5. Define how long debug logs will be stored before being removed. Default value is 90 days.
6. In the Logs retention - sensitive section define how long all the logs will be stored before
being removed.

Warning: The following feature will have impact after enabling logs data removal. Go to
Settings > System to check Enable logs data removal option in the Sensitive features and
system security section.

22.13. Backup and retention 396

Fudo Enterprise 5.4 - System Documentation

7. Click Save.
Overwriting the global value of the data retention for accounts
It is possible to overwrite the value of the data retention parameter for the selected account. To
specify the value of the data retention parameter in the account settings, proceed as follows.
1. Select Management > Accounts.
2. Find and click desired object’s name to open its configuration page.
3. In the Data retention section, define automatic data removal settings.
• Select Override global retention settings option to set other than global retention
values for connections established using this account.
• Check the Delete session data option to exclude sessions from retention mechanism.
• Next to the Delete session data field, define the number of days after which the session
data will moved to external storage device. Default value when the option is checked,
is 30 days.
4. Click Save.

Note:
• Defining the retention parameter value in the account settings will not activate data reten-
tion itself. Data retention has to be enabled globally (from the menu Settings > Backup
and retention > Retention).
• Global retention parameter values have lower priority than the values set in the accounts.
• Global retention settings are replicated within the cluster configuration. Please note that
Remove session data after variable is not replicated within the cluster but is set per node.

Sessions’ retention lockdown

Fudo Enterprise allows for excluding selected sessions from the retention mechanism. Session
exclusion procedure is described in chapter Sessions’ retention lockdown.
Related topics:

22.13. Backup and retention 397

Fudo Enterprise 5.4 - System Documentation

• Security measures
• Exporting/importing system configuration
• Creating a new safe

22.14 External storage

Fudo Enterprise enables storing session data on external storage devices connected to Fudo
through a fiber channel interface.

Note: External storage in cluster configuration

• In cluster configuration, each node must have a dedicated WWN object.
• Data stored externally is not replicated between cluster nodes.

22.14.1 Configuring external storage

1. Select Settings > External storage.

Note: Fiber channel cards status is depicted by the icons.

• - both fiber channel cards are operational.
• - external storage volume is degraded - one of the fiber channel card is down.
• - both fiber channel cards are down.

2. Select fiber channel cards operating mode.

• Failover - data is transmitted using one fiber channel interface. If the card fails, the
other one takes over ensuring continuous availability of the external storage device.
• Load balancing - both fiber channel interfaces are used to transfer data between Fudo
Enterprise and the external storage device.

3. In the External storage devices section, select desired WWN object and click the
icon.

Note: Click the icon to refresh the list of available storage devices.

4. Click Save and proceed with enabling session data retention.

22.14. External storage 398

Fudo Enterprise 5.4 - System Documentation

22.14.2 Expanding external storage device

After resizing the WWN object, it must be expanded in Fudo Enterprise in order to take ad-
vantage of the additional storage space.

Warning: The storage device cannot be down-sized after it has been expanded.

1. Select Settings > External storage.

2. In the section describing the WWN object click Expand.
3. Confirm expanding external storage.
4. Click Save.
Related topics:
• System backup

22.15 Exporting/importing system configuration

Fudo Enterprise enables exporting current system state, defined objects and configuration set-
tings, which later can be used to initiate the system.

Warning: Exported configuration data contains confidential information.

Note: Configuration export and import options are available only for the superadmin users.

22.15.1 Exporting system configuration

To export system configuration, proceed as follows.

1. Select Export configuration from the user menu.
2. Save the configuration file.

22.15. Exporting/importing system configuration 399

Fudo Enterprise 5.4 - System Documentation

22.15.2 Importing system configuration

Warning: Importing a configuration file and initiating system with imported data will
delete all existing session data.

To import a system configuration file, proceed as follows.

1. Find and decrypt the Master key file using opessl :
openssl smime -decrypt -in path/to/masterkey.pem -inkey privkey.pem -out
masterkey.tar
2. Select Import configuration from the user menu.

3. Click Choose file and select the Master key file.

Note: Master key must be decrypted before it’s

4. Click Choose file and select the configuration file.

5. Click Confirm.
6. Click Confirm to proceed with initiating the system with the imported data.
Related topics:
• Configuration encryption
• System backup
• System initiation
• System update

22.15. Exporting/importing system configuration 400

Fudo Enterprise 5.4 - System Documentation

22.16 Cluster configuration

Fudo Enterprise cluster ensures uninterrupted access to servers in case of cluster node failure as
well as enables implementing static load balancing scenarios.

Warning:
• Cluster configuration does not facilitate data backup. If session data is deleted on one
of the cluster nodes, it is also deleted from other nodes.
• Data model objects: safes, users, servers, accounts and listeners are replicated within
the cluster and object instances must not be added on each node. In case the replication
mechanism fails to copy objects to other nodes, contact technical support department.

Data replication between cluster nodes is highly customizable. The administrator can choose
the node that the data will be replicated to as well as which data (data model objects/session
data) is replicated.
In case of a node failure, user access requests will be picked up by another cluster node, deter-
mined by the redundancy group priority.
Current session data is replicated to other nodes while the connection is still ongoing.

If the node that fails was recording sessions, those sessions will be terminated. . .

. . . and users will have to reconnect.

A part of the session data from the node that malfunctioned, which has synchronized, can be
accessed on the other nodes, but the session will be fully accessible once the node becomes
operational and session data is synchronized between cluster nodes.

22.16. Cluster configuration 401

Fudo Enterprise 5.4 - System Documentation

Session replication status can be verified by clicking the icon on the sessions list.

22.16. Cluster configuration 402

Fudo Enterprise 5.4 - System Documentation

22.16.1 Initiating cluster

Warning: In cluster configuration all cluster nodes must have NTP server configured .

To initiate Fudo Enterprise cluster, proceed as follows.

1. Select Settings > Cluster.
2. Click Create cluster, to display cluster definition options.
3. Provide node name and description helping identify given object.
4. From the Address drop-down list, select IP address for communicating with other cluster
nodes.

Note: Cluster communication address must have the management option enabled in the
network configuration.

5. Click Submit.

Note: Message concerning cluster key can be ignored when initiating cluster.

Related topics:
• Adding cluster nodes
• Editing cluster nodes
• Deleting cluster nodes
• Redundancy groups
• Cluster configuration

22.16. Cluster configuration 403

Fudo Enterprise 5.4 - System Documentation

22.16.2 Adding cluster nodes

Warning:
• Session and configuration data (servers, users, safes, accounts, listeners, external au-
thentication servers) of the joining node are deleted and initiated with data replicated
from the cluster.
• Data model objects: safes, users, servers, accounts and listeners are replicated within
the cluster and object instances must not be added on each node. In case the replication
mechanism fails to copy objects to other nodes, contact technical support department.

To add a node to Fudo Enterprise cluster, proceed as follows.

1. Log in to the Fudo Enterprise administration panel where the cluster has been initiated .
2. Select Settings > Cluster.
3. Click Add node to display new node configuration parameters.

4. Provide node’s name and optional description.

5. Provide node’s IP address.

Note: Management option has to be enabled on given network interface. Refer to Network
settings: Network interfaces configuration for details on configuring network interfaces.

22.16. Cluster configuration 404

Fudo Enterprise 5.4 - System Documentation

6. Click to download node’s public SSH key.

7. In the Relations section, click + Add.
8. Select the cluster node to which the data from the given node will be replicated.
9. Select which data will be replicated.

10. Select OCR option to delegate OCR processing in case they cannot be processed locally.

22.16. Cluster configuration 405

Fudo Enterprise 5.4 - System Documentation

Note: Each Fudo Enterprise instance has a defined number of resources dedicated to OCR
processing. If the OCR option is selected, excess of sessions that cannot processed locally at the
moment, is forwarded for processing to selected node.

11. In the Relations section of the primary node, click + Add.

12. Select the cluster node to which the data from the given node will be replicated.
13. Select which data will be replicated.
14. Click Save, to add node definition.
15. Copy cluster key to clipboard.
16. Log in to administration panel of the joining node.
17. Select Settings > Cluster.
18. Click Join cluster.
19. Paste cluster public SSH key and click Submit.

20. Click I understand the consequences, proceed.

22.16. Cluster configuration 406

Fudo Enterprise 5.4 - System Documentation

Note: To view session replication status, go to sessions list and click the icon.

Related topics:
• Editing cluster nodes
• Deleting cluster nodes
• Security: Cluster configuration

22.16. Cluster configuration 407

Fudo Enterprise 5.4 - System Documentation

22.16.3 Editing cluster nodes

To modify a cluster node’s configuration, proceed as follows.

1. Select Settings > Cluster.
2. Find and edit desired node parameters.
3. Click Submit.
Related topics:
• Adding cluster nodes
• Deleting cluster nodes
• Security: Cluster configuration

22.16.4 Deleting cluster nodes

Warning:
• Removing a node and re-adding it to a cluster may result in data loss.
• After removing a node, you will no longer be able to delete session data recorded by
this node and replicated to other nodes.

To remove a cluster node, proceed as follows.

1. Select Settings > Cluster.
2. Find desired node and select Delete.
3. Click Submit.
Related topics:
• Adding cluster nodes
• Editing cluster nodes
• Security: Cluster configuration

22.16.5 Redundancy groups

Redundancy groups ensure high system availability. If a master node fails, IP addresses assigned
to the redundancy group will be automatically picked up by another node with the highest prior-
ity assigned to this group. Assigning different priorities to different redundancy groups enables
implementing static load balancing scenario while fully preserving high availability features.

Note: Redundancy groups configuration options are available only after initializing the cluster.

Adding redundancy groups

To add a redundancy group, proceed as follows.

22.16. Cluster configuration 408

Fudo Enterprise 5.4 - System Documentation

1. Select Settings > Cluster.

2. Switch to the Redundancy groups tab.
3. Click + Add redundancy group.
4. Define group properties.

Parameter Description
Name Descriptive name of the redundancy group.
ID Redundancy groups identifier (1-255).
Priority Redundancy group priority (0-254), the lower the number the higher the
priority.
Redundancy group with higher priority assumes the master role and
handles all requests to monitored servers accessed through IP addresses
assigned to this group. In case given cluster node crashes, user requests
are directed to on of the remaining nodes with the highest priority defined
for given redundancy group.
Interlink interface Network interface used for monitoring the state of the given redundancy
group. The master node broadcasts keep-alive packets in the 2nd net-
working layer informing other nodes that it is up and running while other
cluster nodes use the interlink interface to listen for those packets.

Note: By default, once a node takes the master role, it will continue on indefinitely as the
master node.

5. Click Save.
6. Select Settings > Network configuration.

7. Click to add new IP address.

8. Enter IP address and click the icon to mark the entry as a cluster IP address.
9. Assign previously added redundancy group.
10. Click Save.

22.16. Cluster configuration 409

Fudo Enterprise 5.4 - System Documentation

Note: Cluster IP address must be defined on every cluster node.

Editing redundancy groups

To modify a redundancy group, proceed as follows.
1. Select Settings > Cluster.
2. Switch to the Redundancy groups tab.
3. Find and edit desired redundancy group definition.
4. Click Save.
Deleting a redundancy group
To delete a redundancy group, proceed as follows.
1. Select Settings > Cluster.
2. Switch to the Redundancy groups tab.
3. Select Delete next to the desired redundancy group.
4. Click Save.
Demoting a redundancy group

Note: Demoting redundancy group transfers the master role for given group to another cluster
node. The master role is assumed by one of the remaining nodes, on which the given redundancy
group has the highest priority defined.

To demote a redundancy group, proceed as follows.

1. Select Settings > Cluster.
2. Switch to the Redundancy groups tab.
3. Click Demote next to the desired redundancy group.
4. Click Confirm.

22.16. Cluster configuration 410

Fudo Enterprise 5.4 - System Documentation

Note: If after demoting a redundancy group no other node assumes the master role for the
given group, it will be reassigned to the node which previously had this role.

Enforcing a slave role

Note: Enforcing a permanent slave role on a redundancy group ensures that the given node
will not assume master role on given redundancy group despite the state that other nodes are in.
It’s recommended for directing all traffic to other nodes before performing maintenance tasks on
given cluster node. A different use case scenario would be a cluster node in a remote location
with no 2nd network layer communication with other nodes.

To enforce a permanent slave role on a redundancy group, proceed as follows.

1. Select Settings > Cluster.
2. Switch to the Redundancy groups tab.
3. Find desired redundancy group and select Enforce slave mode from the Interface drop-
down list.
4. Click Save.
Related topics:
• Security: Cluster configuration
• Initiating cluster
• Cluster configuration

22.16. Cluster configuration 411

Fudo Enterprise 5.4 - System Documentation

22.17 Events log

System log is an internal registry of users activities which influence system state (login informa-
tion, administrative actions, etc.).
To display system log contents, select Settings > System log.

22.17.1 External syslog servers

Note:
• Fudo Enterprise communicates with the syslog server over UDP protocol.

• Messages to the syslog server are send through an interface with the option enabled,
with an IP address that the target host’s network is reachable from or using the default
gateway.

Adding a Syslog server

To add a Syslog server, proceed as follows.
1. Select Settings > Events log.
2. Click Configure syslog to display syslog servers configuration settings.
3. Select Enable events logging on syslog servers option to activate sending logs to defined
syslog servers.
4. Select Enable sending debug logs option to activate sending debug logs within messages to
defined syslog.
5. Click +.
6. Provide server’s IP address and port number.
7. Click Save.

Note:
• Log entries sent to syslog servers are formatted as follows:

22.17. Events log 412

Fudo Enterprise 5.4 - System Documentation

[<log_level>] (<component_name>) (object_name: object_id) <message>

Example:
[INFO] (fudordp) (fudo_server: 848388532111147015) (fudo_session:
848388532111147219) (fudo_user: 848388532111147012) (fudo_connection:
848388532111147014) User user0 authenticated using password logged in from IP
addres: 10.0.40.101.
• For detailed list of log messages, refer to the Log messages topic.

Editing Syslog server definition

To edit a Syslog server definition, proceed as follows.
1. Select Settings > Events log.
2. Click Configure syslog to display syslog servers configuration settings.
3. Find and edit desired syslog server definition.
4. Click Save.
Deleting Syslog server definition
To delete a Syslog server definition, proceed as follows.
1. Select Settings > Events log.
2. Click Configure syslog to display syslog servers configuration settings.
3. Find desired server definition and click the i icon.
4. Click Save.

22.17.2 Exporting events log

To export events log entries, proceed as follows.

1. Select Settings > Events log.
2. Click Export logs and select where to save exported log entries.
Related topics:
• Log messages
• Security
• Managing servers

22.17. Events log 413

Fudo Enterprise 5.4 - System Documentation

22.18 Changing encryption passphrase

In case of Fudo Enterprise deployed in a virtual environment, data is encrypted using a

passphrase. To change current passphrase, proceed as follow.
1. Log in to system console on an account with superadmin privileges.
2. Type in 3 and confirm by pressing the Enter key.

3. Type in y and press the Enter key, to proceed with changing encryption passphrase.
4. Enter the new passphrase and press the Enter key.
5. Enter the passphrase once again and press the Enter key.

22.18. Changing encryption passphrase 414

Fudo Enterprise 5.4 - System Documentation

6. Restart the system to apply changes.

Related topics:
• System update
• System backup

22.19 Integration with CERB server

CERB is complete user authorization solution which supports a number of authorization mech-
anisms (i.e. mobile token, onetime passwords, etc.). The following procedure describes configu-
ration steps required to enable Fudo Enterprise to verify users credentials using CERB server.
CERB server configuration
1. Adding RADIUS client.
• Select RADIUS clients > Add client to add Fudo Enterprise as a RADIUS client.

• Provide Fudo Enterprise IP address, client’s name and password and click Save.

22.19. Integration with CERB server 415

Fudo Enterprise 5.4 - System Documentation

Note: Password will be required to define external authorization server in Fudo Enterprise
administration panel.

2. Adding user group.

• Select Groups > Add group to define Fudo Enterprise users who will be authorized by the
CERB server.

• Enter group’s name (fudo_users) and click Save.

22.19. Integration with CERB server 416

Fudo Enterprise 5.4 - System Documentation

3. Adding user.
• Select Users > Add user to open new user definition window.

• Provide user name, description and select desired authorization module (refer to CERB
server documentation form more information on authorization modules).

22.19. Integration with CERB server 417

Fudo Enterprise 5.4 - System Documentation

Note: Username is used to authenticate users on Fudo Enterprise.

• Assign user to previously created fudo_users group and click Save.

22.19. Integration with CERB server 418

Fudo Enterprise 5.4 - System Documentation

4. Configuring service.
• Select Services > Add service to open new service definition window.

• Provide name identifying authorization service (cerb_fudo) and service description.

22.19. Integration with CERB server 419

Fudo Enterprise 5.4 - System Documentation

• Add fudo_users group to service and click Add.

Fudo Enterprise server configuration

1. Adding CERB external authorization server.
• Select Settings > External authentication.
• Click Add external authentication source to add CERB server definition.
• Provide CERB server IP address, secret and service name identifying authorization service.

Note: Secret must match the RADIUS client password on CERB server. Service name must
match the service name on CERB

22.19. Integration with CERB server 420

Fudo Enterprise 5.4 - System Documentation

• Click Save.
2. Adding user.
• Select Management > Users.
• Click Add.
• Provide basic user information.

Note: Username must match the user name defined on CERB server.

• Add safes that the user will be able to access.

• In the Authentication section, select External authentication from the Type drop-down list
and select previously created Cerb server from the External authentication source drop-
down list.

• Click Save.
Related topics:
• Users
• Authentication
• User authentication methods and modes

22.19. Integration with CERB server 421

Fudo Enterprise 5.4 - System Documentation

22.20 System maintenance

The following section contains descriptions of maintenance procedures.

Fudo Enterprise allows resizing internal system storage by applying the Virtual Hardware storage
settings. Once respective VM changes are made, restart your Fudo instance, as described at the
Restart page so that the current VM settings are taken by Fudo Enterprise.

22.20.1 Backing up encryption keys

Encryption keys stored on USB flash drives are necessary to initialize the file system, which
stores session data. If the USB flash drive is lost or damaged, it will be impossible to boot the
system and access session data.
Microsoft Windows

Warning: After connecting the flash drive to your computer, do not initiate or format it.
Ignore the system message about it not being able to read data and proceed with the backup
procedure.

1. Download and install HDD Raw Copy Tool.

http://hddguru.com/software/HDD-Raw-Copy-Tool/ (portable version is also
available)
2. Start the program.
3. On the source drive selection window, choose the USB drive with the encription key and
click Continue.

4. Click FILE twice, select the target image file and click Continue.
5. Click START to proceed with copying data.

22.20. System maintenance 422

Fudo Enterprise 5.4 - System Documentation

6. Once the following message occurs

Operation terminated at offset... close the application and disconnect the
USB drive.

22.20. System maintenance 423

Fudo Enterprise 5.4 - System Documentation

7. Connect another USB drive and start HDD Raw Copy Tool.
8. On the source drive selection screen select FILE and browse the file system to find the
encryption keys image file.
9. Select the newly connected USB flash drive as a target device and click Continue.

10. Click Continue.

11. Click START.

22.20. System maintenance 424

Fudo Enterprise 5.4 - System Documentation

12. The copying will end once the following message occurs:
Operation terminated at offset....

13. Close the application and disconnect the USB drive.

Mac OS X
1. Start the terminal.
2. Execute the sudo -s command and enter password.
3. Execute the diskutil list to list connected drives.
4. Find the drive with the following partitions layout:

/dev/disk2 (external, physical):

# : TYPE NAME SIZE IDENTIFIER
0: GUID_partition_scheme *8.0 GB disk2
1: F649773F-1CD6-11E1-9AD2-00262DF29F0D 3.1 KB disk2s1
2: 2B163C2B-1FE5-11E1-8300-00262DF29F0D 1.0 KB disk2s2

5. Execute the dd if=/dev/disk2 of=fudo_pen.img bs=1m command, where if points to

the USB drive.
6. Disconnect the flash drive and connect the new one.
7. Execut the dd if=fudo_pen.img of=/dev/disk2 bs=1m command.
8. Execute the sync command.
9. Disconnect the USB flash drive from your computer.
Linux

22.20. System maintenance 425

Fudo Enterprise 5.4 - System Documentation

1. Start the terminal.

2. Execute the sudo -s command and enter password.
3. Execute the dmesg | less command to determine the USB flash drive identifier.
4. Execute the dd if=/dev/disk2 of=fudo_pen.img bs=1m command, where if points to
the USB drive.
5. Disconnect the flash drive and connect the new one.
6. Execut the dd if=fudo_pen.img of=/dev/disk2 bs=1m command.
7. Execute the sync command.
8. Disconnect the USB flash drive from your computer.
Related topics:
• Events log
• Frequently asked questions

22.20.2 Monitoring system condition

Monitoring system condition allows preventing system failures and overloads, ensuring Fudo
Enterprise Fudo Enterprise remains operational.
Monitoring active sessions
1. Login to Fudo Enterprise administration panel.
2. Select Management > Dashboard.
3. Check the number of currently running user sessions.

Note: Fudo Enterprise supports up to 300 RDP connections.

Monitoring network bandwidth

1. Login to Fudo Enterprise administration panel.
2. Select Management > Dashboard.
3. Check current network transfer rate.

Note: Fudo Enterprise features 1Gbps network interface cards. In case the current network
bandwidth usage exceeds 500Mbps, users may notice a decrease in system communication per-
formance.

Monitoring storage

Warning: Fudo Enterprise will not allow new connections when storage usage reaches 90%.

1. Login to Fudo Enterprise administration panel.

2. Select Management > Dashboard.

22.20. System maintenance 426

Fudo Enterprise 5.4 - System Documentation

3. Check the storage usage percentage, review and delete archived sessions to free up space
if need be.

Related topics:
• System log
• Frequently asked questions

22.20.3 Health Check

Fudo Enterprise regularly checks its “health” status. There are multiple tests that check the
status of both hardware and software components. These tests are called “health checks”.
The results of the health checks can be accessed by an administrator in two ways:
1. Using SNMP , which provides all health check results.
2. Using the API health check endpoint, which provides a summary of all health checks.

22.20. System maintenance 427

Fudo Enterprise 5.4 - System Documentation

22.20.3.1 API Health Check

The Health Check API option is available under the Maintenance and supervision section of the
Settings > System tab.

Enabled the API endpoint providing quick information about Fudo Enterprise’s health status.
It may be used by external devices to periodically check Fudo Enterprise’s health status.
The information is available as a JSON object:

{
"status": "${value}"
}

The ${value} may be set to:

• ok: if Fudo Enterprise works properly
• error: if Fudo Enterprise doesn’t work properly and some of it functions may not be
available.

Note: The health check status is designed to be simple and easy to interpret, therefore it
doesn’t contain detailed information about the problems that caused the error status. The
detailed information about health check results can be obtained using SNMP .

After enabling, the endpoint will be available at a URL path:

api/healthcheck

Warning: The API endpoint is accessible without authentication. It means that anyone
having TCP access to Fudo Enterprise will be able to get information about its health status.

22.20. System maintenance 428

Fudo Enterprise 5.4 - System Documentation

22.20.4 Call Home

Call Home is an opt-in service that allows Fudo Support Team to connect remotely to the client’s
system and perform required operations for the client.
In order to configure the Call Home service, proceed as follows:
1. Go to Settings > System, and then to the Maintenance and supervision section.
2. Check the Call Home option.
3. Choose the IP address of your Fudo Enterprise instance or Any address.
4. Additionally, check the Send diagnostics option to share diagnostic results with Fudo
Support Team.

Note:
• The Call Home functionality requires an account created on Fudo Security servers. To
create an account, contact your partner and provide your machine Fudo Unique Identifier
(FUID). Check at the Footer Information page where you can see your FUID.
• Fudo appliance will establish an outgoing SSH connection to home.fudosecurity.com.

22.20.5 Hard drive replacement

In default configuration, Fudo Enterprise’s storage array comprises 12 hard drives in RAIDZ2
configuration running ZFS file system allowing the system to remain fully operational in case of
a failure of two hard drives.
Replacing a hard drive
1. Move the front bezel release latch to the left and take the front bezel off.

22.20. System maintenance 429

Fudo Enterprise 5.4 - System Documentation

2. Push the hard drive tray lever release button and pull the lever to take out the tray from
the chassis.

3. Unscrew the screws securing the hard drive and take out the hard drive from the tray.
4. Install replacement hard drive in the tray and secure it with the screws.
5. Install the hard drive tray back in the server.

Note: Fudo Enterprise will automatically detect the change in the storage array state and will
start rebuilding the data structure. The duration of the array rebuilding process depends on the
volume of data stored on the server.

Related topics:
• Hardware overview
• Frequently asked questions

22.20.6 Resetting configuration to default settings

Warning: Configuration reset procedure is irreversible and it results in deleting all recorded
sessions, system settings and defined objects. The device needs 2 pendrives plugged in to be
properly executed.

1. Access system terminal.

2. Enter administrator account login and press Enter.

22.20. System maintenance 430

Fudo Enterprise 5.4 - System Documentation

3. Enter administrator account password and press Enter.

4. Enter 9 and press Enter.

22.20. System maintenance 431

Fudo Enterprise 5.4 - System Documentation

5. Enter y and press Enter.

6. Enter y and press Enter to proceed with factory reset.

22.20. System maintenance 432

Fudo Enterprise 5.4 - System Documentation

Note: In case you are returning a demonstration unit, remember to also erase the USB flash
drive containing the encryption key.

Related topics:
• Network interfaces configuration
• System maintenance

22.20. System maintenance 433

CHAPTER 23

Reference information

23.1 RDP connections broker

Connections broker enables users to reconnect to their existing sessions on a specific server within
a pool of load-balanced resources.
If the broker identifies an existing user session on another server, the connection will be redirected
to it and the user will be prompted to login again.

Note: To successfuly redirect a connection, the server identified by the broker must be defined
on Fudo Enterprise, it must listen on default RDP port (3389) and user must be allowed to
connect to given server.

434
Fudo Enterprise 5.4 - System Documentation

Related topics:
• Data model
• RDP
• Servers
• Accounts

23.2 Log messages

Note: Message code contains information on the type of the log message and the component
that logged the information.

Message code Message and description

FSE0001 Internal system error.
FSE0002 Fudo certificate error.
FSE0003 Unable to change configuration settings.
FSE0004 Configuration import error.
FSE0005 Unable to initialize ${disk}.
FSE0006 Invalid license.
FSE0007 Unable to find license file.
FSE0008 Unable to attach hard drive ${disk}.
FSE0009 Upgrade failed.
FSE0010 License expired.
FSW0011 Retention module was unable to delete session ${sessid} from database.
FSW0012 Retention module error, session ${sessid} skipped.
FSI0013 Session ${sessid} removed according to retention policy.
FSW0014 Retention module was unable to remove session ${sessid}.
FSI0015 Redundancy group ${name} switched to master role.
FSW0016 Unable to send email, SMTP server not configured.
FSI0017 Redundancy group ${name} switched to slave role.
FSI0018 Hard drive ${disk} initialization started.
FSI0019 Hard drive ${disk} initialization completed. Data synchronization may
take a moment.
FSE0020 System backup error.
FSI0021 Hard drive ${disk} attached.
FSI0022 Unsupported hard drive hot-swap.
FSI0023 Manual encryption does not support hard drive hot-swap.
Continued on next page

23.2. Log messages 435

Fudo Enterprise 5.4 - System Documentation

Table 1 – continued from previous page

Message code Message and description
FSE0024 Hard drive belongs to another Fudo (${diskserial}) ${disk}.
FSI0025 Cluster node ${name} (${address}) host key set to ${hostkey}.
FSE0026 Cluster communication error.
FSI0027 Cluster node ${name} initialized.
FSE0028 Unable to join node to cluster.
FSI0029 Resumed data synchronization.
FSI0030 Node ${node} initially synchronized.
FSE0031 Timestamping service communication error.
FSE0032 Unable to timestamp session.
FSE0033 Unknown timestamping service provider.
FSI0034 Session ${SESSION} was timestamped.
FSI0035 Email ${mailname} sent to ${admin_email}.
FSW0036 Unable to send email ${mailname} to ${admin_email} through ${ac-
count} server.
FSW0037 Output from SMTP client: ${out}.
FSI0038 Saved email ${mailname} sent to ${admin_email}.
FSI0039 System image version ${FULLNEW} uploaded successfully.
FSE0040 Communication error with cluster node %s (%s): Fudo version mismatch
(local: %s, remote: %s).
FSI0041 Initial connection from master cluster node.
FSI0042 Cluster node %s (%s) connected from address %s.
FSI0043 Connection from another cluster node.
FSI0044 Connected to cluster node %s (%s) on address %s.
FSI0045 Initial database replication to cluster node %s (%s) completed.
FSE0046 There is no filter called %s.
FSW0047 Error sending notification.
FSE0048 Error authenticating user over RADIUS.
FUI0049 User %s authenticated using password logged in from IP address: %s.
FUI0050 User %s authenticated using password.
FUI0051 User %s authenticated through %s (Host: %s, Port: %d, %s: %s) logged
in from IP address: %s.
FUI0052 User %s authenticated through %s (Host: %s, Port: %d, %s: %s).
FUI0053 User %s authenticated through LDAP (Host: %s, Port: %d) logged in
from IP address: %s.
FUI0054 User %s authenticated through LDAP (Host: %s, Port: %d).
FUI0055 User %s (domain %s) authenticated through Active Directory (Host: %s,
Port: %d) logged in from IP address: %s.
FUI0056 User %s (domain %s) authenticated through Active Directory (Host: %s,
Port: %d).
FUE0057 Authentication method ‘password’, required by MySQL, requested by
the user %s, logging in from IP address %s, was not found.
FUE0058 Authentication method ‘password’, required by MySQL, requested by
the user %s, was not found.
FUW0059 User %s, logging in from IP address %s, has more than one ‘password’
method, using the first password.
FUW0060 User %s has more than one ‘password’ method, using the first password.
FSE0061 Incorrect password repository configuration: login is empty.
Continued on next page

23.2. Log messages 436

Fudo Enterprise 5.4 - System Documentation

Table 1 – continued from previous page

Message code Message and description
FSE0062 Incorrect password repository configuration: password is empty.
FSE0063 Incorrect server configuration: ERPM namespace is empty.
FSE0064 Incorrect server configuration: ERPM name is empty.
FSE0065 License configuration error.
FSE0066 Unable to block user %jd.
FSE0067 Error connecting to Lieberman ERPM server %s: incorrect URL in con-
figuration.
FSE0068 Error connecting to Lieberman ERPM server %s: incorrect protocol
specified.
FSE0069 Error fetching password from Lieberman ERPM server %s: unable to
get sessid for user %s.
FSE0070 Error fetching password from Lieberman ERPM server %s: unable to
get password for user %s for the %s/%s server.
FSI0070 Established proxy connection from %s to %s (%s:%u).
FSI0071 Established gateway connection from %s to %s (%s:%u).
FSI0072 Established transparent connection from %s to %s (%s:%u).
FSI0073 Bastion connection from %s to %s (%s:%u).
FSW0074 Connection terminated because license has expired or was not set.
FSW0075 Connection terminated because number of nodes in cluster exceeded li-
cense limit.
FSE0076 Unable to establish connection, could not find specified transparent
server (tcp://%s:%u).
FSE0077 LDAP authentication error.
FSE0078 LDAP authentication error: unable to connect from %s to %s.
FUE0079 Authentication timeout after %ju key attempt%s and %ju password at-
tempt%s.
FUE0080 Authentication timeout after %lu key attempt%s.
FUE0081 Authentication timeout after %lu password attempt%s.
FSE0082 Unable to establish connection to server %s (%s).
FSE0083 Unable to establish connection from %s to server %s (%s).
FSI0084 Terminating session: %s.
FSI0085 Session finished.
FUI0086 User %s blocked due to connection policy violation.
FUW0087 Session has been terminated due to user %s account expiration.
FUW0088 Session has been terminated due to exceeding the time window defined
in the connection %s time policy.
FUE0089 Authentication timeout.
FSE0090 Unable to connect to the passwords repository server %s.
FSE0091 Unable to add server %s.
FSE0092 Passwords repository server %s communication error.
FSE0093 Error connecting to Thycotic server %s: incorrect URL in configuration.
FSE0094 Error connecting to Thycotic server %s: incorrect protocol specified.
FSE0095 Error fetching password from Thycotic server %s: unable to get sessid
for user %s.
FSE0096 Error fetching password from Thycotic server %s.
FSE0097 Error fetching password from Thycotic server %s: unable to get secretid
for server %s.
Continued on next page

23.2. Log messages 437

Fudo Enterprise 5.4 - System Documentation

Table 1 – continued from previous page

Message code Message and description
FSE0098 Error fetching password from Thycotic server %s: unable to get password
for user %s for the %s server.
FUE0099 Connection terminated.
FUI0100 HTTP connection beetwen client and server initiated.
FUE0101 Unable to find matching HTTP connection.
FUI0102 Session terminated by system administrator.
FUE0103 HTTP connection error.
FUI0104 %s connection terminated.
FUI0105 HTTP session inactive, terminating.
FUE0106 Authentication failed: %s.
FUW0107 Invalid inactivity timeout, falling back to %d seconds.
FUE0108 MySQL connection error.
FUI0109 MySQL connection terminated.
FUE0110 Oracle connection error.
FUI0111 Oracle connection terminated.
FUE0112 RDP connection error.
FUE0113 TLS Security configured, but missing TLS private key.
FUE0114 TLS Security configured, but missing TLS certificate.
FUE0115 Standard RDP Security configured, but missing private key.
FUE0116 TLS certificate verification failed.
FUE0117 RSA key verification failed.
FUI0118 Successfully authenticated against the server.
FUI0119 Successfully authenticated against the server as user %s using %s.
FUI0120 Successfully authenticated against the server as user %s within domain
%s using %s.
FUI0121 An anonymous user successfully authenticated against the server.
FUI0122 An anonymous user successfully authenticated against the server as user
%s.
FUI0123 An anonymous user successfully authenticated against the server as user
%s within domain %s.
FUE0124 SSH connection error.
FUE0125 User %s failed to authenticate after %d attempts, disconnecting.
FUI0126 Successfully authenticated against the server as user %s using password.
FUE0127 Invalid authentication method: expected passwordor sshkey, got %s.
FUI0128 User %s authenticated using SSH key.
FUE0129 Failed to authenticate against the server as user %s using %s.
FUE0130 Failed to authenticate against the server as user %s using %s (received
%s).
FUW0131 Functionality %s is not allowed.
FUE0132 Client requested incorrect terminal dimensions (%dx%d).
FUE0133 MSSQL connection error.
FUE0134 TN3270 connection error.
FUE0135 Unknown TN3270 command: %02x.
FUW0136 Functionality %s not allowed.
FUE0136 Telnet connection error.
FSE0137 Unable to read private key.
FSE0138 Server’s certificate does not match configured certificate.
Continued on next page

23.2. Log messages 438

Fudo Enterprise 5.4 - System Documentation

Table 1 – continued from previous page

Message code Message and description
FUE0139 VNC connection error.
FUE0140 Client version: %s is higher than the client integrated in Fudo: %s.
FUE0141 VNC connection error. Client answered with unsupported security type:
%hhu.
FUE0142 VNC connection error. Server version: %s is lower than client version:
%s.
FUI0143 VNC connection closed: %s.
FUE0144 User %s failed to authorize logging in from IP address: %s.
FUE0145 User %s failed to authorize.
FUE0146 User %s failed to authenticate logging in from IP address: %s.
FUE0147 User %s failed to authenticate.
FSE0148 Listening on %s:%u failed while adding bastion %s.
FAI0149 User %s deleted previous system version.
FAI0150 User %s changed backup and retention settings.
FAI0151 User %s %s bastion %s.
FAI0152 User %s deleted bastion %s.
FSE0153 Session indexing failure.
FSE0154 Session conversion failure for session %s.
FSI0155 Starting encoding session video %s.
FSI0156 Completed session video %s encoding.
FAI0157 User %s %s failover configuration.
FAI0158 User %s added node %s.
FAI0159 User %s changed %s in node %s.
FAI0160 User %s deleted node %s.
FAI0161 User %s disconnected node from the cluster.
FAI0162 Cluster has no active nodes. Cluster will be disabled.
FAI0163 User %s created new cluster.
FAI0164 User %s attached current node to cluster.
FAE0165 Error authenticating user %s.
FAI0166 User %s restored original logo for protocol %s.
FAI0167 User %s changed logo for protocol %s.
FAI0168 User %s confirmed sensitive feature %s.
FAI0169 User %s removed confirmation for sensitive feature %s.
FAI0170 User %s changed following notifications settings: %s.
FAI0171 User %s enabled email notifications.
FAI0172 User %s disabled email notifications.
FAI0173 User %(username)s is upgrading Fudo.
FAI0174 User %(username)s upgraded Fudo.
FAI0175 User %(username)s uploaded new upgrade image (version: %(version)s,
size: %(size)d).
FAI0176 User %(username)s deleted upgrade files.
FAI0177 User %s uploaded license file.
FAW0178 User %(username)s triggered system restart.
FAW0179 User %(username)s triggered system shutdown.
FAW0180 User %s %s remote SSH access.
FAW0181 User %(username)s changed timestamping settings.
FAW0182 User %(username)s uploaded new PKCS12 file.
Continued on next page

23.2. Log messages 439

Fudo Enterprise 5.4 - System Documentation

Table 1 – continued from previous page

Message code Message and description
FAW0183 User %(username)s changed timestamping provider to %(provider)s.
FAW0184 User %(username)s %(action)s timestamping.
FAI0185 User %s imported system configuration.
FAI0186 User %s exported system configuration.
FAI0187 User %s added NTP server %s.
FAI0188 User %s removed NTP server %s.
FAE0189 Error saving NTP servers: “%s”.
FAI0190 User %(username)s changed date & time from %(old_date)s to
%(new_date)s.
FAI0191 User %s changed timezone to %s.
FAI0192 User %s changed Fudo HTTPS private key and certificate.
FAI0193 User %s %s SSH access.
FAI0194 User %s requested service data.
FAI0195 User %s added %s to %s for %s %s.
FAI0196 User %s removed %s from %s for %s %s.
FAI0197 User %s changed %s from %s to %s for %s %s.
FAI0198 User %(username)s added IP address %(new_inet)s/%(new_netmask)s
to interface %(interface)s with %(new_management)s management and
%(new_cluster)s cluster address.
FAI0199 User %(username)s changed subnet mask from %(old_netmask)s to
%(new_netmask)s on %(new_inet)s/%(new_netmask)s address on in-
terface %(interface)s.
FAI0200 User %(username)s %(new_cluster)s cluster address on
%(new_inet)s/%(new_netmask)s address on interface %(interface)s.
FAI0201 User %(username)s %(new_management)s management on
%(new_inet)s/%(new_netmask)s address on interface %(interface)s.
FAI0202 User %(username)s deleted IP address %(old_ip)s from interface %(in-
terface)s.
FAI0203 User %(username)s %(action)s interface %(interface)s.
FAI0204 User %(username)s added member %(member)s to bridge %(interface)s.
FAI0205 User %(username)s removed member %(member)s from bridge %(inter-
face)s.
FAI0206 User %(username)s enabled spanning tree propagation on bridge %(in-
terface)s.
FAI0207 User %(username)s disabled spanning tree propagation on bridge %(in-
terface)s.
FAI0208 User %(username)s changed VLAN %(interface)s parent interface from
%(old_parent_interface)s to %(new_parent_interface)s.
FAI0209 User %(username)s changed VLAN %(interface)s ID from %(old_vlan)s
to %(new_vlan)s.
FAI0210 User %s deleted interface %s.
FAI0211 User %s changed LDAP synchronization settings.
FAW0213 LDAP error during fetching groups: %s.
FAI0214 User %s enforced full LDAP synchronization.
FAI0215 User %s disabled events logging on syslog servers.
FAI0216 User %s removed syslog server: %s:%s.
FAI0217 User %s added syslog server: %s:%s.
Continued on next page

23.2. Log messages 440

Fudo Enterprise 5.4 - System Documentation

Table 1 – continued from previous page

Message code Message and description
FAI0218 User %s removed syslog server %s.
FAI0219 User %s changed remote log dispatch settings.
FAI0220 User %s changed network interfaces settings.
FAI0221 User %s changed hostname from %s to %s.
FAI0222 User %s added DNS server IP address %s.
FAI0223 User %s removed DNS server IP address %s.
FAI0224 User %s added new route for network %s with gateway %s.
FAI0225 User %s changed gateway for network %s from %s to %s.
FAI0226 User %s deleted network %s with gateway %s.
FAI0227 User %s (%s) terminated session.
FAI0228 Anonymous user from IP address %s with access rights granted by user
%s joined session.
FAI0229 User %s from IP address %s joined session.
FAI0230 User %s (%s) suspended session.
FAI0231 User %s (%s) resumed session.
FAE0232 MySQL session playback error.
FAI0233 Anonymous user from IP address %s accessed session %s shared by %s
with key %s.
FAI0234 User %s from IP address %s accessed session %s.
FAI0235 User %s %s comment %d for session.
FAI0236 User %s generated key %s with %s access.
FAI0237 User %s is viewing user input for session.
FAI0238 User %s blocked server %s.
FAI0239 User %s unblocked server %s.
FAI0240 User %s blocked connection %s.
FAI0241 User %s unblocked connection %s.
FAI0242 User %s addedd new time policy to connection %s for %s from %s to
%s.
FAI0243 User %s changed connection %s %s time policy %s from %s to %s.
FAI0244 User %s deleted time policy for %s %s - %s from connection %s.
FAI0247 User %s deleted server %s.
FAI0248 User %s %s server %s.
FAI0251 User %s deleted connection %s.
FAI0252 User %s %s connection %s.
FAI0253 User %s deleted session.
FAI0254 User %s requested OCR processing for session.
FAW0255 User %s tried to disable a non-exisitent sharing key for session.
FAI0256 User %s disabled anonymous access key %s for session.
FAI0259 User %s deleted download %s.
FAI0260 User %s downloaded file %s for session %s.
FAI0261 Anonymous user from IP address %s terminated session shared by %s
with key %s.
FAI0262 User %s terminated session.
FAI0263 User %s blocked user %s.
FAI0264 User %s modified policies settings.
FAI0265 User %s modified regular expressions settings.
FSW0266 Failed to send email.
Continued on next page

23.2. Log messages 441

Fudo Enterprise 5.4 - System Documentation

Table 1 – continued from previous page

Message code Message and description
FSE0267 Error generating report %d: %s.
FAI0268 User %s deleted report “%s”.
FAW0269 User %s cannot delete report “%s”.
FAI0270 Report {} created by user {}.
FAW0271 User %(username)s is blocked.
FAW0272 User %(username)s is not allowed to log in.
FAW0273 User %(username)s logging from IP %(ip)s not found.
FAI0276 User %s unblocked user %s.
FAI0277 User %s deleted user %s.
FAI0278 User %s added user %s to connection %s.
FAI0279 User %s changed user %s.
FAI0281 User %s logged out from Fudo administration panel.
FAI0282 User %s successfully changed his password.
FSE0283 Unable to process pattern: %s
FSW0284 Pattern %s matched on %s with priority %s in session.
FSE0285 Unable to read certificate.
FSE0286 No peer certificate received.
FSW0287 No server key configured, skipping verification.
FSI0288 Server key verification failed.
FUI0289 MSSQL connection terminated.
FSI0290 User %s (%d) was removed. Reason: user wasn’t in any of synchronized
groups.
FSI0291 System backup initiated, fingerprint: ${fingerprint}.
FSI0292 System backup initiated.
FSI0293 System backup completed, fingerprint: ${fingerprint}.
FSI0294 System backup completed.
FAI0295 User %s blocked bastion %s.
FAI0296 User %s unblocked bastion %s.
FAI0297 User %s created bastion %s.
FAI0298 User %s changed bastion %s.
FAI0299 User %s created server %s.
FAI0300 User %s changed server %s.
FAI0301 User %s changed connection %s.
FAI0302 User %s created connection %s.
FAI0303 User %s created user %s with role %s.
FAI0304 User %s modified %s for %s %s.
FUE0305 Client connection closed: encryption is not available.
FUE0306 Client connection closed.
FSE0307 Error fetching password from HiPAM server %s: unable to get sessid for
user %s.
FSE0308 HiPAM server internal error.
FSE0309 Error fetching password from HiPAM server %s: unable to get sessdat
for user %s.
FSE0310 Incorrect server configuration: HiPAM name is empty.
FSE0311 Unable to fetch password from HiPAM.
FSE0312 Error connecting to HiPAM server %s: incorrect URL in configuration.
FSE0313 Error connecting to HiPAM server %s: incorrect protocol specified.
Continued on next page

23.2. Log messages 442

Fudo Enterprise 5.4 - System Documentation

Table 1 – continued from previous page

Message code Message and description
FUE0314 Invalid pixel format.
FSE0330 Bad login field configured on LDAP server %s. Error while processing
user %s.
FSE0331 Error while processing userAccountControl value of user %s.
FSI0332 User %s will be blocked.
FSI0333 User %s will be unblocked.
FSW0334 User %s has incorrect principal name.
FSI0335 User %s synchronized from LDAP server %s.
FSI0336 Remove pair connection %s user %s.
FSI0337 Add conection %s to user %s.
FSW0338 User %s paired with connection %s, server conflict.
FSI0339 User %s (%s) was removed. Reason: user was not in any of synchronized
groups.
FSI0340 Full synchronization from LDAP server %s started.
FSI0341 User %s connections cleared.
FSI0342 User %s will be resynchronized from server %s.
FSI0343 Resynchronized user %s will be removed.
FSW0344 Connection to LDAP server error: %s.
FSI0345 Successfully fetched password from %s.
FUE0346 Client sent a packet bigger than %d bytes.
FSE0348 Unable to get configuration settings.
FAI0349 Anonymous user from IP address %s with access rights granted by user
%s left session.
FAI0350 User %s from IP address %s left session.
FUE0351 Client sent unsupported NTLM v1 response.
FSE0352 Bastion requires login and server delimited with one of ‘%s’ (%s).
FAI0353 User %(username)s is deleting upgrade snapshost.
FAI0354 User %(username)s deleted upgrade snapshot.
FSE0355 Inconsistent data, starting recovery replication to cluster node %s (%s).
FUW0356 Unsupported X11 extension: %s.
FUW0357 Server uses higher resolution than the current limit: %dx%d.
FUW0358 Server uses higher color depth than the current limit: %d bpp.
FUE0359 Server rejected X11 connection: %.*s.
FUE0360 Server requires unsupported X11 authentication: %.*s.
FSW0361 Fudo started.
FSE0362 Unable to propagate ARP.
FUE0363 User %s has no access to host %s:%u.
FUI0364 RDP server sent a redirection packet.
FUE0365 RDP server %s:%u has to listen on the default RDP port in order to
redirect sessions.
FSE0366 Error connecting to CyberArk server %s: incorrect URL in configuration.
FSE0367 Error connecting to CyberArk server %s: incorrect protocol specified.
FSE0368 Error fetching password from CyberArk server %s.
FSE0369 Error fetching password from CyberArk server %s: unable to get pass-
word for user %s for server %s.
FUW0373 Session has been terminated due to exceeding the time window defined
in a time policy for the user %s and the safe %s.
Continued on next page

23.2. Log messages 443

Fudo Enterprise 5.4 - System Documentation

Table 1 – continued from previous page

Message code Message and description
FSI0374 Established %s connection from %s to %s:%u.
FSE0375 Unable to add listener %s.
FSE0376 Unable to add listener %s because %s is listening on same IP address
and port.
FSE0377 Bastion requires login and server to be delimited with one of the ‘%s’
characters (listener: %s, login: %s).
FSE0378 Unable to establish connection: server not found, user not found or user
has no access to the server (listener: %s, login: %s).
FSE0379 Unable to establish connection: transparent server (tcp://%s:%u) not
found or cannot be reached through listener (listener: %s, login: %s).
FSE0380 Unable to authenticate user %s: server is blocked.
FSE0381 Unable to authenticate user %s: account not found.
FSE0382 Unable to authenticate user %s: account is blocked.
FSE0383 Unable to authenticate user %s: user not found.
FSE0384 Unable to authenticate user %s: user is blocked.
FSE0385 Unable to authenticate user %s: safe not found.
FSE0386 Unable to authenticate user %s: safe is blocked.
FSI0387 Password for account %s verified successfully.
FSI0389 Password for account %s changed successfully.
FAI0393 User %s displayed password history for account %s.
FAI0394 User %s displayed password to account %s changed at %s.
FAI0395 User %s displayed current password for account %s.
FAI0396 User %s blocked safe %s.
FAI0397 User %s unblocked safe %s.
FAI0398 User %s deleted safe %s.
FAI0399 User %s changed safe %s.
FAI0400 User %s created safe %s.
FAI0401 User %s blocked account %s.
FAI0402 User %s unblocked account %s.
FAI0403 User %s deleted account %s.
FAI0404 User %s changed account %s.
FAI0405 User %s created account %s.
FAI0406 User %s blocked listener %s.
FAI0407 User %s unblocked listener %s.
FAI0408 User %s deleted listener %s.
FAI0409 User %s changed listener %s.
FAI0410 User %s created listener %s.
FAI0411 User %s blocked password change policy %s.
FAI0412 User %s unblocked password change policy %s.
FAI0413 User %s deleted password change policy %s.
FAI0414 User %s changed password change policy %s.
FAI0415 User %s created password change policy %s.
FSI0416 Connection between safe %s and user %s has been removed.
FSI0417 Connection between safe %s and user %s has been added.
FSI0418 User %s was removed from safes %s.
FSE0420 Unable to authenticate user %s against server %s.
FAI0421 User %s assigned listener %s to safe %s.
Continued on next page

23.2. Log messages 444

Fudo Enterprise 5.4 - System Documentation

Table 1 – continued from previous page

Message code Message and description
FAI0422 User %s unassigned listener %s from safe %s.
FAI0423 User %s assigned account %s to safe %s.
FAI0424 User %s unassigned account %s from safe %s.
FAI0425 User %s assigned authentication method %s to user %s.
FAI0426 User %s unassigned authentication mathod %s from user %s.
FAI0427 User %s changed authentication mathod %s assigned to user %s.
FAI0428 User %s assigned user %s to safe %s.
FAI0429 User %s unassigned user %s from safe %s.
FAI0430 User %s blocked password changer %s.
FAI0431 User %s unblocked password changer %s.
FAI0432 User %s deleted password changer %s.
FAI0433 User %s changed password changer %s.
FAI0434 User %s created password changer %s.
FSW0435 Password changer timed out for acccount %s.
FUI0436 User %s authenticated using token logged in from IP address: %s.
FUI0437 User %s authenticated using token.
FAW0438 User %s authenticated using new token while the old one still exists.
FAW0439 User %s authenticated using old token.
FAI0440 User %s granted access for account %s to user %s.
FAI0441 User %s revoked access for account %s from user %s.
FAI0442 User %s granted access for listener %s to user %s.
FAI0443 User %s revoked access for listener %s from user %s.
FAI0444 User %s created policy %s.
FAI0445 User %s deleted policy %s.
FAI0446 User %s changed policy %s.
FAI0447 User %s assigned regexp %s to policy %s .
FAI0448 User %s unassigned regexp %s from policy %s.
FAI0449 User %s created regexp %s.
FAI0450 User %s deleted regexp %s.
FAI0451 User %s changed regexp %s.
FAI0452 User %s granted access for safe %s to user %s.
FAI0453 User %s revoked access for safe %s from user %s.
FAI0454 User %s granted access for server %s to user %s.
FAI0455 User %s revoked access for server %s from user %s.
FAI0456 User %s granted access for user %s to user %s.
FAI0457 User %s revoked access for user %s from user %s.
FAI0458 User %s displayed password history for account %s. Reason: %s.
FAI0459 User %s displayed password to account %s changed at %s. Reason: %s.
FAI0460 User %s displayed current password for account %s. Reason: %s
FSE0461 Invalid data from %s LDAP server.
FAI0462 User {} created redundancy group {}.
FAI0463 User {} deleted redundancy group {}.
FAE0464 User %s is not allowed to login from address %s.
FUW0465 Establishing new connections has been disabled.
FSE0466 Fudo versions do not conform.
FUE0467 Client tried to authenticate using an invalid UTF-8 login.
FSI0468 A passphrase used to decrypt disks was changed.
Continued on next page

23.2. Log messages 445

Fudo Enterprise 5.4 - System Documentation

Table 1 – continued from previous page

Message code Message and description
FSE0469 Unexpected number of bastions (%s).
FSE0470 Unexpected number of servers (%s).
FSE0471 Unexpected number of users (%s).
FSE0472 RDP servers %s must all use TLS (NLA) or Standard RDP Security.
FSE0473 Fudo cannot be upgraded to PAM.
FSI0474 Fudo can be upgraded to PAM.
FSE0475 Connection %s replaces a login and forwards a secret for servers %s which
is not allowed.
FSE0476 ZVOL with encryption key does not exist.
FSE0477 Replication of encryption key to cluster node %s (%s) failed.
FSE0478 Unable to join cluster’s node ${name}. Fudo versions do not conform
(local: ${VERSION}, remote: ${rversion}).
FSE0479 Servers %s must all use the same %s settings.
FSE0480 Servers %s must all use the same protocol.
FSW0482 Unable to verify password for account %s.
FUI0483 User %s authenticated using Citrix logon ticket logged in from IP ad-
dress: %s.
FUI0484 User %s authenticated using Citrix logon ticket.
FUE0485 ICA connection error.
FUI0486 ICA server closed connection.
FAI0487 User %s requested timestamping for session.
FAI0488 User %s requested timestamping for account.
FSI0489 Label %s not defined on this node, skipping listener %s.
FAI0490 User %s created external authentication %s.
FAI0491 User %s changed external authentication %s: %s.
FAI0492 User %s deleted external authentication %s.
FSE0493 Unable to establish connection to server %s (%s): label %s not defined
on this node.
FSI0494 Label %s not defined on this node, skipping external authentication %s.
FSE0495 Communication error with cluster node %s (%s): connection failure.
FSE0496 Communication error with cluster node %s (%s): unable to replicate a
batch with object %jd to table %s.
FSE0497 Communication error with cluster node %s (%s): unable to replicate a
batch with object %jd (name: %s) to table %s.
FSE0498 Communication error with cluster node %s (%s): unable to store object
%jd in table %s.
FSE0499 Communication error with cluster node %s (%s): unable to store object
%jd (name: %s) in table %s.
FSE0500 Communication error with cluster node %s (%s): unable to connect to
%s.
FSE0501 Communication error with cluster node %s (%s): failure during hand-
shake.
FSE0502 Database error.
FSE0503 Communication error with a cluster node: Fudo version mismatch (local:
%s, remote: %s).
FSE0504 Communication error with cluster node %s (%s): %s.
FSE0505 Communication error with a cluster node: failure during handshake.
Continued on next page

23.2. Log messages 446

Fudo Enterprise 5.4 - System Documentation

Table 1 – continued from previous page

Message code Message and description
FSI0508 Successfully replicated encryption key to node %s (%s).
FSE0509 Communication error with cluster node %s (%s): unable to replicate
session data.
FSE0510 Communication error with cluster node %s (%s): intial replication failed.
FSW0511 There has been an attempt to reset Fudo to factory defaults. Resetting
Fudo to factory defaults has been administratively disabled.
FAI0512 User %s enabled reset account.
FAI0513 User %s disabled reset account.
FAW0514 User %s of role %s tried to view %s, but has insufficient privileges for
this action.
FSE0515 Unable to upload backup #${currno} at ${datetime}.
FSI0516 Backup #${currno} at ${datetime} successfully uploaded.
FSE0517 Backup configuration error: %s.
FSE0518 Backup internal error.
FSI0519 ${type} backup snapshot ${snapname} successfully taken.
FUE0520 User %s tried to access ICA server %s:%u using Citrix StoreFront which
is not permitted.
FUE0521 Citrix StoreFront sent an ICA file without a destination address.
FSW0522 Roolback to ${oldversion} failed.
FSW0523 Upgrade to ${oldversion} failed.
FSW0524 Roolback to ${version} succeeded.
FSW0525 Upgrade to ${version} succeeded.
FSE0526 Error communicating with bypass card. Error setting nextboot mode.
FSE0527 Error communicating with bypass card. Error setting bpe mode.
FSE0528 Error communicating with bypass card. Error switching card mode.
FSE0529 Error communicating with bypass card.
FAI0530 User %s enabled snmp.
FAI0531 User %s disabled snmp.
FSW0532 External storage is unavailable.
FSE0533 Unable to attach external storage.
FSI0534 External storage attached.
FSE0535 External storage is unavailable in this configuration.
FSW0536 External storage detached.
FSI0537 External storage attached successfully.
FAI0538 Set external storage connection mode to %s
FAI0539 Set configured WWN to %s, external storage connection mode to %s
FAI0540 Interface discovery while configuring external storage: %s
FSW0540 Found ${cdisk} paths to fiber channel ${wwn} from ${cscbus} devices.
FSW0541 Retention module was unable to move session ${sessid}.
FAI0542 User %s assigned account %s, listener %s to safe %s.
FAI0543 User %s unassigned account %s, listener %s from safe %s.
FSE0544 Failed to list snapshots.
FSW0545 Unable to change password for account %s.
FUI0546 ICA client closed connection.
FAE0547 User %s could not create a ticket requesting an access to safe %s.
FAI0548 User %s created ticket %s requesting an access to safe %s.
FAI0549 User %s approved ticket %s requesting an access for user %s to safe %s.
Continued on next page

23.2. Log messages 447

Fudo Enterprise 5.4 - System Documentation

Table 1 – continued from previous page

Message code Message and description
FAI0550 User %s rejected ticket %s requesting an access for user %s to safe %s.
FAI0551 User %(username)s added member %(member)s to lagg %(interface)s.
FAI0552 User %(username)s removed member %(member)s from lagg %(inter-
face)s.
FSE0553 Unable to extract public key from CA.
FUE0554 SFTP server uses an unsupported version %u.
FAI0555 User %s added address %s to server %s.
FAI0556 User %s removed address %s from server %s.
FAI0557 User %s changed address %s assigned to server %s.
FSI0558 Starting encoding file for session %s.
FSI0559 Completed encoding file for session %s.
FSE0560 Session has not been approved nor rejected.
FSE0561 Unexpected number of connections (%s).
FAI0562 User %s rejected session %s. Reason: %s.
FAI0563 User %s rejected session %s.
FAI0564 User: {} tried to accept session: {} but it was accepted by:
FAI0565 User: {} rejected session: {}
FAI0566 User: {} tried to reject session: {} but it was accepted by:
FAI0567 User: {} tried to reject session: {} but it was rejected by:
FAI0568 User: {} accepted session: {}
FAI0569 User: {} tried to accept session: {} but it was rejected by:
FAI0570 User %s approved session %s.
FSI0571 Proxy connection closed.
FSE0572 Proxy connection error.
FSI0573 Client sent an invalid token.
FSE0574 Unable to resolve ${ip} domain to address.
FSE0575 Unable to convert raw file to pcap.
FSI0578 User %s (%s) was removed. Reason: user’s external server dosen’t exists
any more.
FSE0580 Cluster %s has an invalid token: %s.
FAI0581 User %s changed domain search path from %s to %s.
FSW0582 Disk $cdev was removed.

23.3 Footer Information

The footer on the left menu displays 4 elements describing current Fudo Enterprise instance:
1. Uptime - when the system was activated last time.
2. Serial Number - ID of the cluster node. It’s unique for a single cluster.
3. FUID (Fudo Unique Identifier) - Unique ID of the current Fudo Enterprise instance.
4. System Version - Current software version.

23.3. Footer Information 448

Fudo Enterprise 5.4 - System Documentation

23.3. Footer Information 449

CHAPTER 24

Fudo Officer 1.0

Fudo Officer 1.0 is a mobile app that allows Fudo Enterprise administrators to manage the
users’ requests to the target servers. The requests are accepted or rejected by the administrators
via the Fudo Officer app, or on Admin Panel in the Management > Sessions tab.

Note: Refer to the Approving pending user requests and Declining pending requests topics for
more information about maintaining the users’ requests on the Admin Panel.

English, Polish, Russian, and Ukrainian languages are available as an application language.
Application language is set according to the phone settings.

Warning: Fudo Officer app requires enabling the Call Home service at the Maintenance
and supervision section of the Settings > System tab.
Additionally, there must be selected the Require approval option within the Safe and enabled
an option for push notifications Session awaiting approval (push) for the user. An associated
device can be configured for the currently logged user only.

24.1 Configuration

Warning: An associated device can be configured for the currently logged user only.

In order to configure the Fudo Officer app, follow the instruction:

1. Allow the application sending notifications.
2. Set a PIN (a 4-6 digits number). This PIN is independent from the PIN you use to unblock
your phone.

450
Fudo Enterprise 5.4 - System Documentation

3. Create your first profile.

3.1. Open Fudo Enterprise Admin panel. Go to Management > Users. Choose a user to create
a profile for.
3.2. Edit user and go to the More tab. In the Fudo Officer field click the Add device button.
The showed QR code has to be scanned with the app.
3.3. Go back to the app and click the Add your profile button. Next, click the Scan QR code
button.
3.4. Scan showed QR code with your phone.
3.5. Set a profile name and click the Create profile button. The profile name is editable.
3.6. Go back to the Fudo Enterprise Admin panel and click OK in the QR code window. The
Fudo Officer section now has the Platform field filled with the binding device name and the
Push ID with the respective string.

3.7. Click the Save button.

Now, you can manage the users’ requests via the created profile.

Note: A profile is unique for one user within one Fudo Enterprise instance.

24.2 Managing session requests

The requests which are waiting for the response, are located under the Pending tab. Click on a
request item to accept or reject the request.

24.2. Managing session requests 451

Fudo Enterprise 5.4 - System Documentation

Alternatively, swipe right on a request item to accept the request or swipe left to reject the
request.

24.2. Managing session requests 452

Fudo Enterprise 5.4 - System Documentation

The processed requests (accepted and rejected) can be found under the Archived tab. These
requests can be sorted by Date, Server name or User.

24.2. Managing session requests 453

Fudo Enterprise 5.4 - System Documentation

24.3 Settings

Edit profile
1. Choose a cog icon in the upper right corner.

2. Swipe left on the profile item.

24.3. Settings 454

Fudo Enterprise 5.4 - System Documentation

3. Click on the pencil icon to edit the profile name, or Click the red button if you want to
delete the profile.
Add profile
1. Open Fudo Enterprise Admin panel. Go to Management > Users. Choose a user to create
a profile for.
2. Edit user and go to the More tab. In the Fudo Officer field click the Add device button.
The showed QR code has to be scanned with the app.
3. Go back to the app and click the Add your profile button. Next, click the Scan QR code
button.
4. Scan showed QR code with your phone. Set a profile name and click the Create profile
button. The profile name is editable.
5. Go back to the Fudo Enterprise Admin panel and click OK in the QR code window. The
Fudo Officer section now has the Platform field filled with the binding device name and
the Push ID with the respective string.
6. Click the Save button.
Change PIN code
1. Choose a cog icon in the upper right corner.
2. Click Change PIN code.
3. Enter your current PIN code. You will have 5 attempts.
4. Create a new 4-6 digits PIN code.

24.3. Settings 455

Fudo Enterprise 5.4 - System Documentation

5. Confirm the entered PIN code.

The Secure app success toggle is enabled by default - it’s allowing an authentication method for
logging in to the application.

24.3. Settings 456

CHAPTER 25

AAPM (Application to Application Password Manager)

Deprecated since version 5.4

Fudo Enterprise 5.4 is the last version supporting Application to Application Password Manager.
The AAPM will be replaced by the functionality of APIv2 in the next release.

The AAPM module enables secure passwords exchange between applications.

An essential part of the AAPM module is the fudopv script. It is installed on the applica-
tion server and it communicates with the Fudo Enterprise Secret Manager module to retrieve
passwords.
The AAPM module supports Microsoft Windows, Linux and BSD family operating systems.

25.1 Compiling fudopv tool

Deprecated since version 5.4

Fudo Enterprise 5.4 is the last version supporting Application to Application Password Manager.
The AAPM will be replaced by the functionality of APIv2 in the next release.

The result of this procedure is fudopv application with Python interpreter included.

Note: For information on deploying fudopv without compiling sources files, refer to the De-
ploying fudopv without compiling source files topic.

457
Fudo Enterprise 5.4 - System Documentation

25.1.1 Python

Windows
Download and install Python 3.x environment:
https://www.python.org/downloads/

Note: Make sure to select the option to add python.exe to the execution path.

Linux
Install Python environment according to the guide provided by the manufacturer.
Exemplary configuration:

./configure \
--prefix=/opt/python-3.6 \
--with-ensurepip=install \
--disable-optimizations \
--enable-shared

Note:
• --disable-optimizations - optimizations may result in build failures,
• --with-ensurepip=install - installs tools for managing Python’s packages,
• --enable-shared - one of the fudopv's dependencies requires the Python interpreter .so
library.

25.1.2 Virtual environment

Compiling the package requires the virtualenv module.

1. Execute pip install virtualenv requests or easy_install virtualenv requests
command.
2. In the fudopv/ execute the virtualenv deps command.
The environment required for building fudopv will be created in the deps/ folder.
Windows
Run the deps\Scripts\Activate command to activate the environment.
Linux
In case of the interpreter build from the source code you can use the included pip and
easy_install tools. You must also set the path to the shared libraries and run the virtualenv
with the -p option:

LD_LIBRARY_PATH=/opt/python-3.6/lib
/opt/python-3.6/bin/pip install virtualenv requests
/opt/python-3.6/bin/virtualenv -p /opt/python-3.6/bin/python deps

25.1. Compiling fudopv tool 458

Fudo Enterprise 5.4 - System Documentation

To activate the environment, run the source deps/bin/activate command.

25.1.3 Fetching dependencies

In active virtual environment run the pip install -r requirements.txt to install fudopv
dependencies. Dependencies are installed in the deps/

Note: If the ImportError: No module named _markerlib problem occurs, execute pip
install --upgrade distribute and install dependencies once again.

Windows
Download and install pywin32 : https://sourceforge.net/projects/pywin32/files/

Note: Make sure to select the installer for Python 3.x.

After activating the virtualenv environment, execute the following command with the path to
the pywin32 :

easy_install path\to\pywin32

Linux
Linux operating system does not require taking any additional actions.

25.1.4 Package creation script

Execute the python setup.py command, which will create package in the fudopv folder.

Note: The PyInstaller does not support package creation on a privileged account. If the
ERROR: You are running PyInstaller as user root. This is not supported. error oc-
curs, you can change the check_not_running_as_root() function in the ./deps/lib/python3.
6/site-packages/PyInstaller/utils/misc.py so that it return the result without checking
anything.

Related topics:
• Using fudopv
• Deploying fudopv without compiling source files
• Authentication methods

25.1. Compiling fudopv tool 459

Fudo Enterprise 5.4 - System Documentation

25.2 Deploying fudopv without compiling source files

Deprecated since version 5.4

Fudo Enterprise 5.4 is the last version supporting Application to Application Password Manager.
The AAPM will be replaced by the functionality of APIv2 in the next release.

To use fudopv without compiling source files, proceed as follows.

1. Download and install Python 3.x environment.

Note: It is advised to run fudopv in virtual environment.

2. Execute pip install virtualenv requests or easy_install virtualenv requests

command to install virtual environment.
3. In the fudopv/ execute virtualenv deps command.
4. Add fudopv to your python search path. Execute export PYTHONPATH=~/fudopv where
"~/fudopv" is the path where you have unpacked the utility and run virtualenv/
easy_install in.
5. Execute python -m fudopv, to start fudopv.
Related topics:
• Using fudopv
• Compiling fudopv tool

25.3 Using fudopv

Deprecated since version 5.4

Fudo Enterprise 5.4 is the last version supporting Application to Application Password Manager.
The AAPM will be replaced by the functionality of APIv2 in the next release.

Execution parameters
When working with fudopv, the following command format is used:

fudopv [<options>] <command> [<parameters>]

The following table lists the available options for the fudopv command.

25.2. Deploying fudopv without compiling source files 460

Fudo Enterprise 5.4 - System Documentation

Command/option/parameter Description
Commands
getcert Fetch User Portal SSL certificate.
getpass <type> <account_name> Fetch password to selected account.
type:
• direct - direct, unmonitored connection;
• fudo - connection monitored by the PSM mod-
ule

Options for type fudo

-s <address>, --server-address Address of the server to which the account will con-
<address> nect.
-p <port>, --port <port> Port of the server to which the account will connect.
General options
-c <path>, --cfg <path> Use configuration file from provided path.
-h, --help Show options and parameters list.

1. Upload fudopv script to the server and change its access rights to allow execution.

2. Log in to the Fudo Enterprise administration panel.

3. Create a user object with user role, static password authentication and server’s IP address
defined in the API section.

Note:
• Select Management > Users.
• Click +Add user.
• Enter user’s name.
• Define account’s validity period.
• Select User from the Role drop-down list.
• Assign safe and click the object to open its properties.
• Select the Reveal password option.
• In the Authentication section, select Password from the Add authentication method drop-
down list.
• Type in the password in the Password field.

25.3. Using fudopv 461

Fudo Enterprise 5.4 - System Documentation

• If you want to limit the IP addresses allowed to access Fudo Enterprise over the API
interface, go to the More tab, and in the AAPM field enter the IP address of the server,
which will be requesting passwords using fudopv script.
• Click Save.

4. Run fudopv getcert command to initiate the configuration.

Note: fudopv configuration files are stored in the .fudopv folder in user’s home folder.

5. Open fudopv.cfg file in a text editor of your choice.

Section Description
[FUDO]
address User Portal’s IP address.
cert_path Path to the User Portal’s SSL certificate files.

[CONN]
bind_ip IP address of the server, running the fudopv script. The IP address must be
the same as the IP address defined in the API section in user configuration.
This parameter is optional.

[AUTH]
username User login as defined in step 3.
secret Path to the secret.txt file containing user’s static password.

25.3. Using fudopv 462

Fudo Enterprise 5.4 - System Documentation

Note:
• In the [FUDO] section, in the address line, enter the User Portal IP address.
• Leave the cert_path line as is, it will be updated automatically after successfully running
the fudopv getcert command.
• If you specified the IP address allowed to access Fudo Enterprise over API, in the [CONN]
section, uncomment the bind_ip line and provide the IP address of the server running the
fudopv script.
• In the [AUTH] section, in the username line, provide the login of the user object defined
in step 3.
For example:

[FUDO]
address=10.0.0.8.61
cert_path=<CERT_PATH>

#[CONN]
bind_ip=10.0.0.8.11

[AUTH]
username=fudopv
secret=/Users/zmroczkowski/.fudopv/secret.txt

6. Run fudopv getcert command to fetch User Portal’s SSL certificate.

Note: After running the script successfully, the path to the certificate in the configuration file

25.3. Using fudopv 463

Fudo Enterprise 5.4 - System Documentation

will be automatically updated.

7. Edit the secret.txt file and provide user’s static password.

8. Run command:
• fudopv getpass direct <account_name>, to fetch password to connect directly to the
server.

• fudopv getpass fudo --server-address <address> --port <port>

<account_name>, to fetch password to establish monitored connection with the tar-
get host.

25.3. Using fudopv 464

Fudo Enterprise 5.4 - System Documentation

Warning: Correct operation of the fudopv script requires disabling the Login reason
prompt option in the safe’s properties.

Related topics:
• Compiling fudopv tool
• Deploying fudopv without compiling source files
• Authentication methods
• Data model
• System overview
• Setting up password changing on a Unix system

25.4 Authentication methods

Deprecated since version 5.4

Fudo Enterprise 5.4 is the last version supporting Application to Application Password Manager.
The AAPM will be replaced by the functionality of APIv2 in the next release.

Conventions and symbols:

• url: fudo connection address,
• ->: fudopv request,
• <-: response from Fudo Enterprise,
• status: response status,
• FUDO: Fudo IP address,
• USER: username,
• SECRET: password (static),
• SESSIONID: session token,
• method: HTTP protocol method: GET/POST/PUT,

25.4. Authentication methods 465

Fudo Enterprise 5.4 - System Documentation

• {“key”: “value”}: JSON included in the request/response.

25.4.1 Static password

Static user password, stored in the secret.txt file.

• -> url: https://FUDO/api/portal/login
• -> method: POST
• -> {"username": "USER", "password": "SECRET"}
• <- status:
– 200, OK
∗ <- {"sessionid": "SESSIONID"}
– 401, UNAUTHORIZED
– <- Not applicable.
Related topics:
• Compiling fudopv tool
• Deploying fudopv without compiling source files
• Using fudopv

25.4. Authentication methods 466

CHAPTER 26

Ticketing systems

Deprecated since version 5.4

Fudo Enterprise 5.4 is the last version supporting Ticketing systems. The support will be
removed in the next release.

467
CHAPTER 27

Client applications

27.1 PuTTY

1. Download and launch PuTTY.

2. In the Host Name (or IP address) field, enter IP address defined in the listener.

3. In the Port number field, enter port number defined in the listener.

468
Fudo Enterprise 5.4 - System Documentation

4. Select the SSH connection type.

5. Click Open.
6. Enter username.

27.1. PuTTY 469

Fudo Enterprise 5.4 - System Documentation

7. Enter password.
Related topics:
• SSH
• Creating an SSH server
• Setting up the SSH listener

27.2 Microsoft Remote Desktop

1. Launch Microsoft Remote Desktop.

2. Enter connection name.
3. Provide destination host IP address and RDP service port number in the PC name field
as defined in the listener object.

27.2. Microsoft Remote Desktop 470

Fudo Enterprise 5.4 - System Documentation

3. Enter user login and password and press the [Enter] keyboard key.

Note: Fudo Enterprise enables using custom login, no access and session termination screens
for RDP and VNC connections. For more information on user defined images for graphical

27.2. Microsoft Remote Desktop 471

Fudo Enterprise 5.4 - System Documentation

remote sessions, refer to the Resources topic.

Related topics:
• RDP
• Creating an RDP server
• Setting up the RDP listener

27.3 TightVNC Viewer

1. Launch TightVNC Viewer.

2. Enter IP address in the server address field as defined in the created VNC listener object
(for more information refer to the Quick start - VNC topic).

27.3. TightVNC Viewer 472

Fudo Enterprise 5.4 - System Documentation

3. Enter username and password and press the enter key.

Related topics:
• VNC
• Creating a VNC server
• Setting up the VNC listener

27.4 SQL Server Management Studio

1. Start SQL Server Management Studio.

2. Enter IP address as defined in the listener object.
3. From the Authentication drop-down list, select SQL Server Authentication.
4. Enter user login and password.
5. Click Connect.

27.4. SQL Server Management Studio 473

Fudo Enterprise 5.4 - System Documentation

Related topics:
• MS SQL
• Creating a MS SQL server
• Setting up the MS SQL listener

27.4. SQL Server Management Studio 474

CHAPTER 28

Troubleshooting

28.1 Booting up

Problem Symptoms and solution

Fudo Enterprise does not
• Make sure that both power supplies are connected to
boot up
power outlets. Not connecting both power supplies will
result in sound alarm.
• Make sure that encryption key is properly connected.
• In case the problem is a result of unsuccessful system up-
date, wait a few minutes. During that time, Fudo En-
terprise will detect the problem and will restore previous
system revision.

475
Fudo Enterprise 5.4 - System Documentation

28.2 Connecting to servers

Problem Symptoms and solution

Cannot connect to server Symptoms:
• User cannot log in.
• Events log entry: Authentication failed: Invalid username
kowalski or password.

Solution:
• Verify that user definition exists in Fudo Enterprise
database.
• Make the login credentials are correct.
• Make sure that the client software does not have outdated
credentials stored.
• Check if the user has a domain defined and make sure it
is provided when attempting to log in.
• If there are two users with the same login, one of which has
the domain configured the same as the default domain,
and the other does not have the domain defined, Fudo
Enterprise will report authentication problem as it cannot
determine which user is trying to connect.

Symptoms: events log entry: Unable to establish connection

to server zbigniew (10.0.35.53:3399).
Cause: incorrect server configuration.
Solution:
• Verify that the server in question is properly configured
(IP address, port number).
• Check if the server is reachable from Fudo Enterprise:
1. Log in to Fudo Enterprise administration panel.
2. Select Settings > System, Diagnostics tab.
3. Enter server address in the Ping section and execute com-
mand and test host’s availability.
• Check if the server is reachable on given port number:
1. Log in to Fudo Enterprise administration panel.
2. Select Settings > System, Diagnostics tab.
3. Enter server address along with the port number in the
Netcat section and execute command.

Symptoms: Message in client software: Cannot establish

new connection because the capacity of the filesystem has been
reached.
Cause: Storage usage has reached 90%.
Solution: Delete sessions to free up storage space.

28.2. Connecting to servers 476

Fudo Enterprise 5.4 - System Documentation

Problem Symptoms and solution

When logging in not all of Cause:
the users see the Fudo En- • Credentials stored in RDP client result in users being au-
terprise logon screen. tomatically logged in to remote host.
• Credentials stored in RDP client, user is successfully au-
thenticated against credentials stored so the Fudo Enter-
prise logon screen is not displayed. Next, Fudo Enter-
prise forwards user credentials to target server but they
are no longer valid which results in Windows gina being
displayed.

Symptoms:
• Client software message: Connection closed by remote
host.
• Events log entry: Failed to authenticate against the server
as user root using password.

Cause: incorrect login credentials.

Solution: provide correct login credentials in server configura-
tion.

Symptoms:
• RDP client message: Connection refused.
• SSH client message: ssh: connect to host 10.0.1.111 port
10011: Connection refused

Cause: server has been blocked.

Solution: log in to Fudo Enterprise administration panel and
unblock the server.

28.2. Connecting to servers 477

Fudo Enterprise 5.4 - System Documentation

Problem Symptoms and solution

Connection is terminated Symptoms:
• User tries to log in to server monitored by Fudo Enter-
prise, after entering username and password session is im-
mediately terminated.
• Events log entry: TLS certificate verification failed.

Solution:
Download new target host certificate in the Target host section.

Symptoms:
• After entering username and password the connection is
terminated.
• Events log entry: RDP connection error.

Solution: check if in the General tab in TCP-Rdp properties,

the Encryption level option is not set to FIPS Compliant.

Cannot connect to server Symptoms:

• Cannot log in to server with error message User user0 not
allowed to connect to server.
• Events log entry: Authentication failed: User user0 not
allowed to connect to server.

Cause: user is not assigned to proper connection.

Solution: add user to appropriate connection object.

28.2. Connecting to servers 478

Fudo Enterprise 5.4 - System Documentation

Problem Symptoms and solution

Symptoms:
• After entering username and password, the screen freezes.
• Events log entry Terminating session: User user0
(id=848388532111147010) is blocked.

Cause: user is blocked.

Solution: log in to Fudo Enterprise administration panel and
unblock the user in question.

User has to provide login Symptoms: user connecting over RDP protocol enters login
credentials twice credentials and immediately afterwards is asked again for the
same login information.
Cause: server is a part of an infrastructure managed by con-
nections broker which has detected an active user’s session on
another server.

Symptoms: user connecting over SSH protocol enters login

credentials and immediately afterwards is asked again for login
information.
Cause: in connection object options for login and password
substitution are enabled but the input fields are left blank which
results in two fold authentication - first time against Fudo En-
terprise and second time against the target host.

Cannot connect to server Symptoms:

over RDP protocol • User connecting over RDP is disconnected a moment after
establishing connection.
• Events log entry: RDP server 10.0.0.:33890 has to listen
on the default RDP port in order to redirect sessions.

Cause: connection is redirected to a host which does not listen

on port number 3389.
Solution: configure server in question so it accepts user con-
nections on port number 3389.

Symptoms:
• Events log entry: User user0 has no access to host
192.168.0.1:3389

Cause: connections broker determines an existing user session

on another server and redirects user to that host but it is not
configured on Fudo Enterprise or the user does not have suffi-
cient access rights to connect to given server.
Solution:
• Make sure that the server object exists.
• Add user to proper safe object.

28.2. Connecting to servers 479

Fudo Enterprise 5.4 - System Documentation

Problem Symptoms and solution

Cannot connect to Tel- Symptoms: cannot establish connection to target host.
net5250 server using
PC5250 client revision
20091005 S/20111019 S
Cause: in case of aforementioned client applications, Fudo En-
terprise requires setting up additional objects to enable TCP
traffic on ports number 449, 8470 and 8476.
Soluiton:
• Add Telnet TN5250 server with default port number.
• Add three server objects with TCP protocol and following
port numbers 449, 8470 and 8476.
• Add TN5250 listener, in Proxy mode with default port
number.
• Add three TCP listener objects, in Proxy mode, with port
numbers 449, 8470 and 8476.
• Add regular account, define authentication parameters
and assign it to the main TN5250 server definition.
• Add three anonymous accounts and assign each to one of
supporting servers.
• Add safe and assign account with corresponding listeners.

28.3 Logging to administration panel

Problem Symptoms and solution

Cannot log in to adminis-
• Make sure that Fudo Enterprise IP address is correct.
tration panel
• Set Fudo Enterprise IP address from the console as de-
scribed in the Fudo Enterprise System documentation in
the Network interfaces configuration topic.
• Make sure that the IP address in question has the man-
agement access option enabled.

28.3. Logging to administration panel 480

Fudo Enterprise 5.4 - System Documentation

28.4 Session playback

Problem Symptoms and solution

Cannot playback exported Cause: required video codecs are missing.
video
Solution: install correct video codecs.

Administrator user does Symptoms: session list does not contain expected entries.
not see sessions
Cause: insufficient access rights.
Solution: grant access rights to specific user, server and con-
nection objects.

Cannot playback session in Symptoms: message: Could not find session data.
session player
Cause: recording has been disabled in connection properties
when given session transpired.
Solution: enable session recording to be able to playback ses-
sion material in future.

28.5 Cluster configuration

Problem Symptoms and solution

Data model objects are not Symptoms: Objects created on a node are not copied to other
replicated to other nodes cluster nodes.
Solution: Contact technical support department.

28.4. Session playback 481

Fudo Enterprise 5.4 - System Documentation

28.6 Trusted timestamping

Problem Symptoms and solution

Session are not times- Symptoms:
tamped • System log entry: Timestamping service communication
error.

Reason: Time-stamping host is not reachable by Fudo.

Solution: Make sure that firewall settings allow traffic to the
time-stamping service server.
• PWPW time-stamping service IP address: 193.178.164.
5
• KIR time-stamping service IP address: http://www.ts.
kir.com.pl/HttpTspServer

Symptoms:
• System log entry: Unable to timestamp session.
• No session timestamp icon on sessions list.

Reason: Time-stamping service misconfiguration.

Solution: Make sure that time-stamping service has been con-
figured properly.

28.7 Support mode

Support mode enables remote access to Fudo Enterprise in case it cannot boot up properly.
Enabling support mode
1. Access the system terminal.
2. During the boot up, enter 1 and press the Enter key to confirm.

28.6. Trusted timestamping 482

Fudo Enterprise 5.4 - System Documentation

3. Select network interface.

Note: In support mode, network interfaces are named res* instead of net*.

4. Enter the IP address along with network mask, eg. 10.0.0.8/16.

Note: The IP address is used for establishing remote SSH connection, thus it must be reachable
by the technical support specialist. If possible, the IP address should be the same as before the
system’s malfunction.

28.7. Support mode 483

Fudo Enterprise 5.4 - System Documentation

5. Enter the gateway’s IP address and press enter to enable connection to your Fudo Enter-
prise.

Note:
• Fingerprint allows for verifying that the connection has been established with the correct
remote host.

28.7. Support mode 484

Fudo Enterprise 5.4 - System Documentation

6. Once the work is done and the connection is no longer needed, press [Ctrl] + C keys to
close it and reset the network settings.

Related topics:
• Network interfaces configuration
• System maintenance

28.7. Support mode 485

CHAPTER 29

Use Cases

29.1 Two-factor OATH authentication with Google Authenticator

Google Authenticator generates verification code as a dynamic component to a static password

to increase account security.
Fudo Enterprise allows configuring default settings for the OATH authentication so they are
automatically added to the user definition, when administrator selects OATH as an active authen-
tication method.

29.1.1 Protocols Supporting OATH Authentication Method

When logging in, OATH authentication can be performed either in Challenge-Response mode
or by concatenating the dynamic code generated by Google Authenticator to the end of the
static password defined in the authentication method, such as password481418. Please note
that not all protocols support this authentication method.

Table 1: OATH Availability Across Protocols

Platform or Protocol Challenge-Response Password
Mode + Dynamic
Code
Logging into Access available available
Gateway
Logging into Admin available available
Panel
VNC available available
SSH available available
RDP available available
Telnet 3270 not available available
Telnet 5250 not available available
Continued on next page

486
Fudo Enterprise 5.4 - System Documentation

Table 1 – continued from previous page

Platform or Protocol Challenge-Response Password
Mode + Dynamic
Code
Telnet not available available
MS SQL(TDS) not available not available
HTTP/S not available not available
TCP not available not available
MySQL not available not available
X11 not available not available
Modbus not available not available

29.1.2 Configuring the OATH Authentication Method

In order to configure default settings for the OATH authentication method, follow the instruc-
tion:
1. Select Settings > Authentication > OATH authentication.
2. Fill out the Issuer field.
3. From the Token type field select TOTP (time-base) or HOTP (counter-base).
4. Fill out the Token length field.
5. Input Time step if selected Token type was TOTP (time-base).
6. Click Save.

In order to configure OATH as an active authentication method for a user, follow the steps:
1. Select Management > Users.
2. Find and click the user for whom you want to add the OATH authentication method.
3. Scroll down to the Authentication section.
4. Choose OATH type from the Add authentication method drop-down list.
5. Choose the Static password or External authentication as a first factor.
If Password is chosen:
• Enter password’s static part.

29.1. Two-factor OATH authentication with Google Authenticator 487

Fudo Enterprise 5.4 - System Documentation

• Fields Token type, Token length and Time step will be filled out automatically as default
settings claim. Their value is editable.
• Enter a secret that will be used by Google Authenticator. Note, that the secret must be
a Base32 encoded value. Alternatively, click Generate to generate it automatically or
QRCode to show the QR code.
If External authentication is chosen:
• Select External authentication source.
• Fields Token type, Token length and Time step will be filled out automatically as default
settings claim. Their value is editable.
• Enter a secret that will be used by Google Authenticator. Note, that the secret must be
a Base32 encoded value. Alternatively, click Generate to generate it automatically or
QRCode to show the QR code.

Note: The Initialized option serves for the user’s initialization via the QR code. When their
static password as a First factor setting is filled or External authentication source if configured,
the QR code is displayed during their first connection. After successful first authentication the
Initialized option becomes checked and takes uneditable state.

6. Click Save.
7. Launch Google Authenticator.

29.1. Two-factor OATH authentication with Google Authenticator 488

Fudo Enterprise 5.4 - System Documentation

Manual entry QR Code

• Select Enter a provided key.

• Click on user configuration form,
next to the Secret field in the Authen-
tication section.
• Select Scan a barcode in Google Authen-
ticator and scan the code.

• Enter account name.

Continued on next page

29.1. Two-factor OATH authentication with Google Authenticator 489

Fudo Enterprise 5.4 - System Documentation

Table 2 – continued from previous page

Manual entry QR Code

• Enter the secret defined in OATH au-

thentication method.

Note: Click on the user configuration

form in the Authentication section to reveal
the secret.

• Select Counter based.

Continued on next page

29.1. Two-factor OATH authentication with Google Authenticator 490

Fudo Enterprise 5.4 - System Documentation

Table 2 – continued from previous page

Manual entry QR Code

• Select ADD.

8. When logging in, the password string consists of a static password defined in the au-
thentication method and dynamic part generated by the Google Authenticator, e.g.
password481418.

Related topics:
• User authentication methods and modes

29.1. Two-factor OATH authentication with Google Authenticator 491

Fudo Enterprise 5.4 - System Documentation

29.2 OpenID Connect authentication definition with Azure

To configure the OpenID Connect authentication method with Azure, please follow below steps.

Note: Please note that this is a general guide, and specific details may vary depending on your
Azure setup. Refer to Azure documentation for precise configuration steps.

Create user in Microsoft Entra ID (Azure Active Directory)

1. Go to the Azure Portal and log in with your Azure credentials.
2. In the left-hand menu, select Microsoft Entra ID.

3. Under the Manage section, click on Users.

4. Click the + New user button to create a new user. Select Create new user from
the drop-down list.

29.2. OpenID Connect authentication definition with Azure 492

Fudo Enterprise 5.4 - System Documentation

5. In the User principal name field, enter the username of the user account. For
example, [email protected].
6. In the Display name field, provide the name of the user of the account.
7. Provide the password phrase in the Password field or click the Auto-generate
password option to generate the password.
8. Select the Account enabled option.
9. In the Properties tab, under the Contact Information, in the Email field provide
the email address. For example, [email protected].
10. Enter the details required for the user under the Properties and Assignments
tabs.
11. Click Create.
Register Fudo in Microsoft Entra ID (Azure Active Directory)
1. Go back to the Microsoft Entra ID menu and under the Manage section, click
on Enterprise applications.

2. Click the + New application button to create a new application.

29.2. OpenID Connect authentication definition with Azure 493

Fudo Enterprise 5.4 - System Documentation

3. Click the + Create your own application button.

4. In the right-hand dialog box provide the name of your app and chose Register
an application to integrate with Azure AD (App you’re developing) option.
5. Click Create.

6. In the next page, under the Supported account types select the Accounts in this
organizational directory only (This Directory only - Single tenant) option.
7. Under the Redirect URI section select Web from the Select a platform drop-
down list and provide the address of the Fudo Enterprise Access Gateway with
the /oidc suffix. For example, https://10.0.58.239/oidc or https://fudo.
example.com/oidc.

Note: You can find the Access Gateway address under the Settings > Network
configuration menu in the Fudo Enterprise. For more information, please follow the
Network settings section.

29.2. OpenID Connect authentication definition with Azure 494

Fudo Enterprise 5.4 - System Documentation

8. Click Register to create the application.

9. Go back to the main Microsoft Entra ID menu and under the Manage section,
click on App registrations.
10. Change to All applications tab and find created application on the applications
list.
11. Click on it’s name to edit the parameters. Note down the Application (client)
ID and Directory (tenant) ID as you will need these later.

Configure Authentication Setting

1. Go back to the main Microsoft Entra ID menu and under the Manage section,
click on App registrations.
2. Find created application on the applications list and click on it’s name to edit
the parameters.

29.2. OpenID Connect authentication definition with Azure 495

Fudo Enterprise 5.4 - System Documentation

3. Under the Manage section, click on Authentication.

4. In the Web platform created for Fudo Enterprise add the Redirect URI(s) fol-
lowing to the Admin Panel with the /oidc suffix. For example, https://10.
0.58.238/oidc or https://fudo.example.com/oidc.

5. In the Implicit grant and hybrid flows section, check ID tokens and Access tokens
options.

6. In the App instance property lock section, click Configure and uncheck the
Enable property lock option in the right-hand dialog box. Click Save to close
the dialog box.
7. Click Save to save your authentication settings.
Generate Client Secret

29.2. OpenID Connect authentication definition with Azure 496

Fudo Enterprise 5.4 - System Documentation

1. In your application’s settings in the Azure Portal, navigate to the Certificates

& secrets section.
2. Under the Client secrets section, click + New client secret.
3. Provide a description, select the desired expiration period, and click Add.

Warning: Note down the generated Secret ID and Value as you will need it
for Fudo Enterprise configuration. Once saved, the secret value will no longer be
visible.

Get OpenID Connect Configuration URL

1. In your application’s settings in the Azure Portal, navigate to the Overview
section.
2. Open the Endpoints tab, and look for the OpenID Connect metadata document
URL. This is your OpenID Connect Configuration URL. Copy it as you’ll need
it for Fudo Enterprise configuration.

Configure OpenID Connect authentication method in Fudo

1. Go to your Fudo Enterprise Admin Panel.

29.2. OpenID Connect authentication definition with Azure 497

Fudo Enterprise 5.4 - System Documentation

2. Select Settings > Authentication.

3. Choose OpenID Connect authentication tab.
4. Click Add an external authentication source.
5. Check the Enabled option to globally enable OpenID Connect authentication.
6. Provide Name (for example, Azure).
7. Input the Configuration URL (the OpenID Connect metadata document URL
from Azure).
8. Provide the Client ID (the Secret ID from Azure).
9. Provide the Client secret (the certificate Value from Azure).

10. Add Username mapping and Email mapping. Those fields are useful when user’s
name has different naming convention.
11. Provide Bind address.
12. Click Save.
Create new user in Fudo
1. Select Management > Users and then click + Add user.
5. Click Save.

Note: This address is utilized to associate Fudo Enterprise users with their cor-
responding accounts created in Azure. Ensure that there is no duplication of email
addresses among users.

Testing
You can now test the OpenID Connect authentication by attempting to log in to
Fudo Enterprise. Log in using the Azure authentication method:

29.2. OpenID Connect authentication definition with Azure 498

Fudo Enterprise 5.4 - System Documentation

Related topics:
• User authentication methods and modes
• Authentication
• Integration with CERB server

29.3 Remote Desktop Services configuration on Windows Server

for Fudo Enterprise

Before you start the procedure, check the following requirements:

• All servers with Windows Server 2019 or 2022 environment are connected in a domain;
• Domain Controller with AD user group is configured on Windows Server;
• All Windows servers have the security patch CredSSP CVE-2018-0886 installed;
• You have the access to the Fudo Admin Panel to set up an RDP connection.
To configure and use the Remote Desktop Services (RDS) with Fudo Enterprise, please follow
below steps.

Note: Please note that this is a general guide, and specific details may vary depending on your
Windows Server setup. Refer to the Windows Server documentation for precise configuration
steps.

29.3. Remote Desktop Services configuration on Windows Server for Fudo Enterprise 499
Fudo Enterprise 5.4 - System Documentation

29.3.1 Setup Remote Desktop Services (RDS)

Add Servers:
1. Log in to the server on which you want to setup the Remote Desktop Services.
2. Open the Server Manager application.
3. Click Manage button on the upper right corner of the window to expand the
menu list and select Add Servers.

4. Click Find Now.

5. Add all the servers you’re going to use for RDS by clicking on each server in
the deployment. Click OK. In this use case we add 3 servers: HOST1, HOST2,
and RDB which will play the Broker role.

Deploy the Remote Desktop Services components:

1. Click Manage button on the upper right corner of the window to expand the
menu list and select Add Roleas and Features.

29.3. Remote Desktop Services configuration on Windows Server for Fudo Enterprise 500
Fudo Enterprise 5.4 - System Documentation

2. On the Before You Begin tab, click Next to proceed.

3. On the Installation Type tab, select Remote Desktop Services installation, and
click Next to proceed.

4. On the Deployment Type tab, select Standard Deployment to access more de-
tailed instructions for installing Remote Desktop Services. Click Next to pro-
ceed.

29.3. Remote Desktop Services configuration on Windows Server for Fudo Enterprise 501
Fudo Enterprise 5.4 - System Documentation

5. On the Deployment Scenario tab, select Session-based desktop deployment.

Click Next to proceed.

6. On the Role Services tab, review the services that will be installed. Click Next
to proceed.
7. On the RD Connection Broker tab, select the appropriate server on which to
install the RD Connection Broker role service. In this example RDB server was
selected. Click Next to proceed.

29.3. Remote Desktop Services configuration on Windows Server for Fudo Enterprise 502
Fudo Enterprise 5.4 - System Documentation

8. On the RD Web Access tab, select the appropriate server on which to install the
RD Web Access role service. In this example, the RDB server was also selected.
Click Next to proceed.

9. On the RD Session Host tab, select the appropriate servers on which to install
the RD Session Host role service. In this example, the HOST1 and HOST2 servers
were selected. Click Next to proceed.

29.3. Remote Desktop Services configuration on Windows Server for Fudo Enterprise 503
Fudo Enterprise 5.4 - System Documentation

10. On the Confirmation tab, select Restart the destination server automatically if
required, and then click Deploy.

11. Wait for the deployment to complete successfully and click Close.
Add the RD Gateway server and certificate name:
1. Select the Remote Desktop Services section from the left-hand menu and go to
Overview tab.
2. Click the + RD Gateway button and in the Add RD Gateway Servers wizard,
select the virtual machine where you want to install the RD Gateway server.
In this example RDB server was selected.

29.3. Remote Desktop Services configuration on Windows Server for Fudo Enterprise 504
Fudo Enterprise 5.4 - System Documentation

3. Click Next.
4. Enter the SSL certificate name for the RD Gateway server using the external
fully qualified DNS Name (FQDN) of the RD Gateway server. Example, cert.
mk.local.
5. Click Next, and then click Add.
6. Wait until the role service is deployed and click Close.
Configure the RD Gateway and RD Licensing deployment properties:
1. Go back to the Overview tab, click Tasks and select Edit Deployment Properties
from the drop down list.

2. On the RD Gateway tab, select Automatically detect RD Gateway server set-

tings option and click Apply.

29.3. Remote Desktop Services configuration on Windows Server for Fudo Enterprise 505
Fudo Enterprise 5.4 - System Documentation

3. Expand the RD Licensing tab and select Per Device. Click Apply.

4. Expand the ‘RD Web Access’ tab, to check the RD Web Access IIS application

29.3. Remote Desktop Services configuration on Windows Server for Fudo Enterprise 506
Fudo Enterprise 5.4 - System Documentation

URL. It is installed by default under the /RdWeb.

5. Click on the displayed URL to verify the RD Web Access login using the ad-
ministrator account.

Note: While login, please use the domain in the user name field. For example,
[email protected].

29.3. Remote Desktop Services configuration on Windows Server for Fudo Enterprise 507
Fudo Enterprise 5.4 - System Documentation

6. Save this address for the subsequent configuration steps.

7. Click OK in the Deployment Properties window to go back to the Overview tab
of the Remote Desktop Services section.
Add the RD License Server:
1. Click the + RD Licensing button in the Overview tab of the Remote Desktop
Services section.

2. Select the virtual machine where the RD license server will be installed. In this

29.3. Remote Desktop Services configuration on Windows Server for Fudo Enterprise 508
Fudo Enterprise 5.4 - System Documentation

example RDB server was selected. Click Next, and then click Add.
3. Wait until the role service is deployed and click Close.
Create a session collection:
1. Go to the Collections tab of the Remote Desktop Services section, click Tasks
and select Create Session Collection from the drop down list.

2. On the Before You Begin tab, click Next to proceed.

3. On the Collection Name tab, provide a descriptive name of the collection. In
this example we used test-collection name. Click Next to proceed.

Note: This name will be displayed under its icon in the Web Access interface.

4. On the RD Session Host tab, select the RD Session Host Servers to add to this
collection. In this example, the HOST1 and HOST2 servers were selected.
5. On the User Groups tab, define user groups. You can either accept the default
user groups or add one or more groups of users permitted to connect using RDP
to the Session Host server(s).
6. On the User Profile Disks tab, select Enable User Profile Disks option and
specify the settings if needed. You can also leave this option disabled.
7. On the Confirmation tab, please review all the information and then click ‘Cre-
ate’.
8. Wait until the collection is created. Click Close.
Test the connection:
1. Open the RD Web Access URL saved in previous steps (e.g., https://rdb.mk.
local/RDWeb/).
2. Enter a valid username and password and click Sign in. You can use the domain
admin account to login, for example, [email protected].
3. After logging in, the full collection of created desktop sessions is presented.

29.3. Remote Desktop Services configuration on Windows Server for Fudo Enterprise 509
Fudo Enterprise 5.4 - System Documentation

4. Click on the created test-collection icon to download the RDP connection

file or immediately establish a connection.

5. Provide login credentials of one of the users specified in the domain.

29.3. Remote Desktop Services configuration on Windows Server for Fudo Enterprise 510
Fudo Enterprise 5.4 - System Documentation

Note: In this part of the manual, a general process for configuring Remote Desk-
top Services has been presented. To utilize Fudo Enterprise’s functionality during
connections, please follow the steps outlined in the subsequent part of the instruction.

29.3.2 Setup Fudo Enterprise

Note: This use case describes how to configure Fudo Enterprise using the Active Di-
rectory external authentication method. Please keep in mind that you can customize
user authentication using any other method supported by Fudo Enterprise to align
with your specific requirements, the methods typically used in your environment,
and your work scenarios.

Configure external authentication method:

1. Login into your Fudo Enterprise Admin Panel.
2. Select Settings > Authentication.
3. In the External authentication tab click Add an external authentication
source.
4. From the Type drop down list select Active Directory.
5. In the Host field provide the Domain Controller IP address (e.g., 10.0.136.1).
6. Leave default port number: 389.
7. Set the Bind address to Any.
8. Provide the name of the domain which will be used for authenticating users in
Active Directory (e.g., mk.local).

29.3. Remote Desktop Services configuration on Windows Server for Fudo Enterprise 511
Fudo Enterprise 5.4 - System Documentation

9. In the Login, Secret, and Repeat secret fields provide the privileged account’s
login credentials used to access the Domain Controller.

10. Click Save.

Create User in Fudo:
1. Select Management > Users and then click + Add user.
4. Click Save.
6. Go to the Authentication section and from the Add authentication method drop
down list select External authentication.
7. Chose created in previous steps Active Directory method and click Save.
8. If necessary, please fill in the remaining parameters as needed for your specific
configuration. For more details, please refer to the Creating a user section.
9. Click Save and close.
Configure Server with the role of Connection Broker:
1. Select Management > Servers and then click + Add server.
2. Enter server’s unique name (e.g., Broker).
3. In the Permissions section, add users allowed to manage this object.
4. In the Settings section on the list of available protocols select RDP.
5. Select the TLS enabled and the NLA enabled options.
6. In the Destination section select IPv4 and enter IP address of the server selected
during RDS setup for the RD Broker role (in our example, RDB server with IP
10.0.136.2).
7. Click Save and close.
Configure Servers with the role of Session Hosts:
1. Select Management > Servers and then click + Add server.
2. Enter server’s unique name (e.g., HOST1).

29.3. Remote Desktop Services configuration on Windows Server for Fudo Enterprise 512
Fudo Enterprise 5.4 - System Documentation

3. In the Permissions section, add users allowed to manage this object.

4. In the Settings section on the list of available protocols select RDP.
5. Select the TLS enabled and the NLA enabled options.
6. In the Destination section select IPv4 and enter server’s IP address (in our
example, 10.0.136.4).
7. Click Save and close.
8. Repeat all the above steps to create second server with name HOST2 and IP
address 10.0.136.5.
Configure Pool:
1. Select Management > Pools and then click + Add pool.
2. Enter pool’s unique name (e.g., RDS-pool).
3. In the Settings tab select servers to be added to the pool (e.g., HOST1, HOST2).
4. In the Permissions section, add users allowed to manage this object (e.g.,
user1).

6. Click Save and close.

Configure Account:
1. Select Management > Accounts and then click + Add.
2. Define object’s name (e.g., user1).
3. Select forward from the Type drop-down list.
4. Go to the Server / Pool section and from the drop down list select Pool created
in previous step (e.g., RDS-pool) to assign created account to this server pool.
5. In the Credentials section select Forward domain option to have the domain
name included in the string identifying the user.
6. Click Save.
Configure Listener
1. Select Management > Listeners and then click + Add listener.
2. Enter listener’s unique name (e.g.,‘‘rdp-broker-bastion‘‘).

29.3. Remote Desktop Services configuration on Windows Server for Fudo Enterprise 513
Fudo Enterprise 5.4 - System Documentation

3. Go to Permissions tab and add users allowed to manage this listener (e.g.,
user1).
4. Go to Settings tab and press the RDP button in the Protocol field.
5. Select the TLS enabled option to enable encryption.
6. Check the NLA enabled option for additional security.
7. In the Connection mode section, select bastion.
8. Set the local address to 10.0.58.238 or Any, and port 3389.
9. In the CA certificate field, click Generate certificate to generate TLS certificate,
or click Upload to upload server certificate file with private key pasted at the
end of the file.
10. Click Save and close.
Establish a connection through the Access Gateway:

Warning: When establishing connections using the Remote Desktop Services,

please use the Native client option. Web client feature is not functional for this
type of scenario.

1. Log in to the Fudo Enterprise Access Gateway using user1 as the username
and password corresponding to the one configured in the Active Directory.

Note: You can find the Access Gateway address in the Settings > Network config-
uration menu tab.

2. Hover the cursor over the user1 account name, select Native client and click
the Connect button to download the .rdp configuration file.
3. Open the downloaded file to establish a connection.
4. Enter the password for the user1 account to log in to the server.
Redirect the connection through Fudo using RDP native client:
1. In order to redirect the connection through Fudo Enterprise, we need to use the
Fudo Access Gateway address in the RDP client configuration.
2. Choose your favorite remote desktop client, such as Microsoft Remote Desktop,
and follow its workflow to add a new PC for connection.

29.3. Remote Desktop Services configuration on Windows Server for Fudo Enterprise 514
Fudo Enterprise 5.4 - System Documentation

3. Following the example of Microsoft Remote Desktop, click the plus icon in the
upper part of the window and select Add PC.

4. In the PC Name field, enter the address of the Fudo Enterprise Access Gateway
followed by the port number and click Add.

Note: You can find the Access Gateway address in the Settings > Network config-
uration menu tab.

29.3. Remote Desktop Services configuration on Windows Server for Fudo Enterprise 515
Fudo Enterprise 5.4 - System Documentation

5. Connect to the added PC by providing the bastion login string in Username

field and password in the Password field.

Note:
• Please use the following pattern for the bastion login string: user name # ac-
count login on the target server # target server address (e.g., user1#user1#10.
0.136.4).
• You can skip the account login if it’s the same as the user name, e.g, user1##10.
0.136.4

6. Remote Desktop client will establish connection with one of the servers from
the RDS collection.
View the established session in the Fudo Enterprise Admin Panel:
1. Login into your Fudo Enterprise Admin Panel.
2. Select Management > Sessions and run the session preview.
3. Find desired session and click the play icon next to it.

29.3. Remote Desktop Services configuration on Windows Server for Fudo Enterprise 516
Fudo Enterprise 5.4 - System Documentation

Related topics:
• RDP in bastion mode
• Authentication
• Integration with CERB server

29.4 Managing RPD Server certificates in Windows Server

While creating RDP Server in Fudo Enterprise, you can specify the server verification method
by getting the server certificate or importing the CA certificate. You can follow below manual
to manage mentioned certificates in the Windows Server environment.

29.4.1 Locating the Server Certificate in Windows Server

Please follow one of below scenarios to localize the certificate retrieved by Fudo Enterprise from
the Widnows Server during the RDP server creation.
Locating the Server Certificate in Certificate Manager Tool:
You can localize the certificate retrieved by Fudo Enterprise from the Widnows Server
in the Certificate Manager tool. To view the certificate, please follow below steps:
1. Select Run from the Start menu in Widnows Server, and then enter certlm.msc.
2. The Certificate Manager tool for the local device appears.

29.4. Managing RPD Server certificates in Windows Server 517

Fudo Enterprise 5.4 - System Documentation

3. To view your certificate, expand the Remote Desktop > Certificates directory
under the Certificates - Local Computer in the left pane of the Certificate Man-
ager tool window.

Locating the Server Certificate by the Serial Number:

You can also localize certificate used by Fudo Enterprise by extracting certificate’s
serial number.
1. After clicking the ‘Get certificate’ button, Fudo Enterprise connects to the spec-
ified address and port to retrieve the certificate. A similar action can be per-
formed from the command line by invoking below command:

openssl s_client -connect adres:port

Example:

openssl s_client -connect 10.0.133.4:3389

2. In the response you will receive the certificate that you can use to extract the
certificate serial number by typing below command and providing the obtained
certificate content:

c x509 -noout -serial

tUYkxKeuqpn9AWnYP8To1fornJN387ddhcy76d7jchc8Q093RWVb2cMKKjgOAW9w
qLFW+WrLEUPY8hYvsCFYgFH3H0HhKLEoWBN5qHH7vjIiW3Rb0Y7xeGb9x0FWItQX
mbF6sucGdlH+OsjepxMLPVh3Qpb2WQ18kSQGyS1ocbJxOWST9sH4MQkRVFL3rkxN
(continues on next page)

29.4. Managing RPD Server certificates in Windows Server 518

Fudo Enterprise 5.4 - System Documentation

(continued from previous page)

f7/
˓→qdJcdM6sFxEJTdp30CITRfbORXacl84bStjW2MJzvJRqr94xDHonRdIM9tUka
06LVJQY6qiEpMVE8MpSDAfoZ+HeyVWt+2EfXlfWE4hiMJP1DoQIDAQABoyQwIjAT
BgNVHSUEDDAKBggrBgEFBQcDATALBgNVHQ8EBAMCBDAwDQYJKoZIhvcNAQELBQAD
ggEBAGNXzwNC4DhOxyaVhVTPePsa97aeWJtpl64cE4/ZdAfGBEIfHlBEh/
˓→Tnrrn2
7pr0jLnCjUq9rxHC6jfMR0U2PT4qrMHvGD1nUwZdHuZPavPLFHh/
˓→rYHZpizoS+9W
ggEBAGNXzwNC4DhOxyaVhVTPePsa97aeWJtpl64cE4/ZdAfGBEIfHlBEh/
˓→Tnrrn2

xyXjeYdX8/U9EdgrXOLGX9U74rfGQTrQxZyjuYlGxxqop/
˓→y2V3n+3NnNzY+ehW1G
ggEBAGNXzwNC4DhOxyaVhVTPePsa97aeWJtpl64cE4/ZdAfGBEIfHlBEh/
˓→Tnrrn2
ZUvdUnqtdH+0DdAWBo4P1dv0nL8=
-----END CERTIFICATE-----

3. This will result in extracting the certificate’s serial number that you can use to
search the exact certificate in the Certificate Manager tool.

serial=41EB33A67D4F9A884AFFBD1615E11EDD

4. Copy extracted serial number and go to the Windows Server.

5. Select Run from the Start menu, and then enter certlm.msc to open the Cer-
tificate Manager tool.
6. Go to Action > Find Certificates...

7. Provide copied serial number in the Contains field and select Serial Number
from the Look in Field drop down list.

29.4. Managing RPD Server certificates in Windows Server 519

Fudo Enterprise 5.4 - System Documentation

8. Click Find Now.

29.4.2 Providing the CA Certificate

Note:
• This is a conceptual guide that outlines the fundamental setup of a CA for the RDP
protocol. The necessary steps may vary depending on the initial settings of the environment
in which you are working.
• To prepare CA certificate to be used in Fudo Enterprise it is needed to deploy internal
Certificate Authority on the network with an RDP certificate template to issue RDP
certificates.

Install the Certificate Authority on Windows Server:

To install the Certificate Authority on Windows Server, follow the default configuration as
specified in the manufacturer’s manual.

Note: For the procedure outlined in the manual below, the Enterprise CA option was selected.

Create a Template for RDP Certificate:

1. Open the Certificate Authority from the Server Manager by clicking Tools >
Certification Authority in the upper right corner of the window.

29.4. Managing RPD Server certificates in Windows Server 520

Fudo Enterprise 5.4 - System Documentation

2. Right click on the Certificate Template and choose Manage.

3. Find the Computer template, right click on it and choose Duplicate Template.

29.4. Managing RPD Server certificates in Windows Server 521

Fudo Enterprise 5.4 - System Documentation

4. In the General tab, enter the name for new template and specify the validity
and renewal period according to your needs.

5. In the Compatibility tab, choose Windows Server 2003 from the Certification
Authority drop-down list and Windows XP/ Server 2003 from the Certificate
recipient drop-down list.

29.4. Managing RPD Server certificates in Windows Server 522

Fudo Enterprise 5.4 - System Documentation

6. In the Request Handling tab, set the Purpose to the Signature and encryption
and check the Allow private key to be exported.

7. In the Cryptography tab, choose:

29.4. Managing RPD Server certificates in Windows Server 523

Fudo Enterprise 5.4 - System Documentation

• set the Provider Category to Legacy Cryptography Service Provider,

• set the Algorithm name to Determined by CSP,
• set the Minimum Key Size according to organisation security requirement
(e.g., 1024).
• choose the Request must use one of the following providers option and select
the Microsoft RSA SChannel Cryptographic Provider.

8. In the Key Attestation tab, leave default settings.

29.4. Managing RPD Server certificates in Windows Server 524

Fudo Enterprise 5.4 - System Documentation

9. In the Server tab, leave default settings.

10. In the ‘Security’ tab, add the computers and groups you want to be able to
enroll for this template. Check if group or user you are using has the Read,

29.4. Managing RPD Server certificates in Windows Server 525

Fudo Enterprise 5.4 - System Documentation

Write, and Enroll permissions enabled. It is needed to request the certificate

using this template in the next steps.
11. In the Extensions tab, edit the Application Policies.
12. Remove the Server Authentication and Client Authentication policies.
13. Add new policy by clicking Add, and New in the next window.
14. In the Name field enter Remote Desktop Authentication and in the Object
identifier field type 1.3.6.1.4.1.311.54.1.2.

15. Click three times OK to return to the Properties of New Template window.
16. In the Subject Name tab, select Build from this Active Directory information
option and next the DNS name.

29.4. Managing RPD Server certificates in Windows Server 526

Fudo Enterprise 5.4 - System Documentation

17. In the Issuance Requirements tab, leave default settings.

18. Click OK to save created template. Close the Certificate Templates Console.

29.4. Managing RPD Server certificates in Windows Server 527

Fudo Enterprise 5.4 - System Documentation

19. Go back to the Certification Authority window. Right click on the Certificate
Template and choose New > Certificate Template to Issue.

20. Select created template and click OK.

Configure a GPO to Deploy the Template

1. Press Win + R, type gpmc.msc, and press Enter to open the Group Policy
Management on the server.
2. Create new Group Policy Object (GPO), or navigate to the GPO, you are going
to edit. In this example we will create new one.
3. Right click on the domain name and choose Create a GPO in this domain, and

29.4. Managing RPD Server certificates in Windows Server 528

Fudo Enterprise 5.4 - System Documentation

Link it here. . .
4. Provide a name for new GPO (e.g., rdp) and click OK.

5. Right click on the name of created GPO and select Edit. . . .

6. In the Group Policy Management Editor navigate to Computer Configuration >
Policies > Administrative Templates > Windows Components > Remote Desk-
top Services > Remote Desktop Session Host > Security.
7. Double-click on the Server authentication certificate template to edit this set-
ting.

29.4. Managing RPD Server certificates in Windows Server 529

Fudo Enterprise 5.4 - System Documentation

8. Select Enabled option and enter the name of the template created in the previous
steps into the Certificate Template Name field.

9. Click OK.
10. Double click on the Require use of specific security layer for remote (RDP)
connections to edit this setting.
11. Select Enabled option and choose SSL from the Security Layer drop-down menu.

29.4. Managing RPD Server certificates in Windows Server 530

Fudo Enterprise 5.4 - System Documentation

12. Click OK.

13. Link the GPO to the OU containing your servers / desktops that need RDP
certificates if needed. They will auto enroll when Group Policy is updated.
Enroll the RDP Certificate
1. Press Win + R, type certlm.msc, and press Enter to open the Certificate Man-
ager tool for the local device.
2. Navigate to Personal > Certificates.
3. Right-click in the manager window and select All Tasks > Request New Certifi-
cate. . . .
4. Click Next on the Before You Begin and on the Select Certificate Enrollment
Policy tabs.
5. On the Request Certificate tab, select the template created in previous steps
and click Enroll.
6. Copy the enrolled certificate to the Trusted Root Certification Authorities >
Certificates directory.
Export the CA Certificate
1. Press Win + R, type certlm.msc, and press Enter to open the Certificate Man-
ager tool for the local device.
2. Navigate to Trusted Root Certification Authorities > Certificates.

29.4. Managing RPD Server certificates in Windows Server 531

Fudo Enterprise 5.4 - System Documentation

3. Right-click on your Root Certification Authority certificate and select All Tasks
> Export. . . .
4. Click Next.
5. Select Base-64 encoded X. 509 (.CER) format and click Next.
6. Specify the name and localisation for the exported certificate.
7. Click Next and Finish to save the file.
Create User in Fudo:
1. Select Management > Users and then click + Add user.
2. Enter the user name (e.g., ‘User1’).
3. In the Settings tab, under the Safes section, select portal.
4. Click Save.
5. Go to the Authentication section and from the Add authentication method drop
down list select Static password.

6. Provide password and click Save.

7. If necessary, please fill in the remaining parameters as needed for your specific
configuration. For more details, please refer to the Creating a user section.
8. Click Save and close.
Configure RDP Server:
1. Select Management > Servers and then click + Add server.
2. Enter server’s unique name (e.g., ServerRDP).
3. In the Permissions section, add users allowed to manage this object.
4. In the Settings section on the list of available protocols select RDP.
5. Select the TLS enabled and the NLA enabled options.

29.4. Managing RPD Server certificates in Windows Server 532

Fudo Enterprise 5.4 - System Documentation

6. In the Destination section select IPv4 and enter IP address of the server for
which you wish to set up an RDP connection.
7. In the Server verification section select CA certificate and upload exported CA
certificate file.

8. Click Save and close.

Configure Account:
1. Select Management > Accounts and then click + Add.
2. Define object’s name (e.g., CA-account).
3. Select regular from the Type drop-down list.
4. Go to the Server / Pool section and from the drop down list select the server
created in previous step (e.g., ServerRDP) to assign created account to this
server.
5. In the Credentials section provide the Domain and Login used to authenticate
on the server.
6. From the Replace secret with drop down list select password, and provide pass-
word used to authenticate on the server.
7. Click Save.
Configure Listener:
1. Select Management > Listeners and then click + Add listener.
2. Enter listener’s unique name (e.g., RDP-bastion).
3. Go to Permissions tab and add users allowed to manage this listener (e.g.,
User1).
4. Go to Settings tab and press the RDP button in the Protocol field.
5. Select the TLS enabled option to enable encryption.

29.4. Managing RPD Server certificates in Windows Server 533

Fudo Enterprise 5.4 - System Documentation

6. Check the NLA enabled option for additional security.

7. In the Connection mode section, select bastion.
8. Set the local address to any and port 3389.
9. In the Server certificate field, click Generate certificate to generate TLS cer-
tificate by choosing key algorithm and providing Common Name (server name
where the certificate is installed).

10. Click Save and close.

Configure Safe:
1. Select Management > Safes and then click + Add.
2. Enter object’s name (e.g., SafeRDP).
3. Select Web Client option to allow connecting to the session in browser.
4. Select Users tab to assign users allowed to access accounts assigned to this
safe.

• Click + Add user, and then click the button next to User1, which was
created in previous steps, to enable server access over monitored safe.
• Click ok to close the modal window.
5. Select Accounts tab to add accounts accessible through this safe.

• Click + Add account, and then click the next to CA-account, which
was created in previous steps.
• Click ok to close the modal window.
• Click to assign listener to accounts.

• Click to add listener RDP-bastion created in previous steps.

• Click ok to close the modal window.

29.4. Managing RPD Server certificates in Windows Server 534

Fudo Enterprise 5.4 - System Documentation

6. Click Save.
Establish a session:
1. Log in to the Fudo Enterprise Access Gateway using User1 as the username
and password provided during the creation of this user.
2. Hover the cursor over the CA_account name and select Web client to start the
session.

Related topics:
• Creating an RDP server
• Creating a user

29.4. Managing RPD Server certificates in Windows Server 535

CHAPTER 30

Frequently asked questions

1. How many user sessions can be stored on at once?

2. How Fudo Enterprise supports sessions archiving?
3. How to calculate storage space required for archiving sessions?
4. How users can hide their activities on servers which they access through Fudo Enterprise?
5. How to determine unauthorized access attempts to supervised servers?
6. Is it possible to hide the login screen when connecting over the RDP protocol?
7. Why the users list in the connection’s properties is incomplete?
8. Why is a user removed from the LDAP/AD server still present on the users list?
9. How frequently are users’ definitions synchronized with an LDAP/AD server?
10. I see * instead of the keystrokes in the session player. Is it possible to see the actual keyboard
input?
11. Can I deactivate a session URL?
12. What should I do before returning a demonstration unit after testing?
AI session processing
13. How long does it take for the model to learn? How many sessions do I have to record to see
results?
14. We have 20 accounts and 20 users in our company - how long will it take to see differences?
15. If I connect to different servers, does Fudo create a separate model for each of them?
16. If I give my login credentials to another person, will the AI detect that someone else has
logged in and terminate the session?
17. Session status icon is yellow all the time - what does it mean?
18. Five users use the same account to establish connections - will the system be able to determine
who and when has logged in onto the server?

536
Fudo Enterprise 5.4 - System Documentation

19. How will the system determine that it wasn’t me if we all use the same commands?
20. Sessions are not analyzed, why is that?
1. How many user sessions can be stored at once?
Fudo Enterprise F1000 series is delivered with 24 TB of RAW hard drive space (15.9 TB usable)
while the F3000 series appliances come with 96 TB of RAW storage space (59.9 TB usable)
dedicated for storing users sessions.
Size of the stored session is determined by user’s activity. An hour of recorded connection takes
on average:

RDP 218 MB active user session (no activity generates almost no data). Definite session
size depends on the screen resolution, color depth and actual user activity.
SSH 41.5 MB active session.

Given that assumptions, internal storage space enables recording of:

RDP SSH
F1000 28.6 years 150.2 years
F3000 112.8 years 592.5 years

Note:
• Disk usage figures include space taken up by the filesystem’s redundancy mechanism. The
filesystem reserves a portion of available storage, which results in some of the storage space
being reported as used on a newly initiated system.
• Fudo Enterprise allows specifying how long sessions data should be stored, and will au-
tomatically delete session data after a certain time, determined by retention parameter ,
elapses.

2. How Fudo Enterprise supports sessions archiving?

All sessions are stored on Fudo Enterprise internal storage space. In addition to that, Fudo
Enterprise allows exporting sessions in native format or a video record.
3. How to calculate storage space required for archiving sessions?
File size of sessions in native format are the same as in question 1. In case of video record, file
size depends on the codec and resolution settings.
4. How users can hide their activities on servers which they access through the
Fudo Enterprise?
In case of the SSH protocol, Fudo Enterprise supports SCP channel and monitors all transferred
files, including scripts. This allows auditing given session searching for malicious code embedded
in software sent to the server.
Protection of other communication channels (e.g. web browser or other applications) are task
for different kind of solutions. There is no solution similar to Fudo Enterprise which are able to
monitor such channels, thus it is important to create proper server configuration by the system
administrator.

537
Fudo Enterprise 5.4 - System Documentation

5. How to determine unauthorized access attempts to supervised servers?

Unauthorized access and DoS attacks attempts, can be determined by analyzing event log entries.
Each ERROR or WARNING severity entries should be closely examined. Cases of login timeout
errors can be potential DoS attack attempts.
6. Is it possible to hide the login screen when connecting over the RDP protocol?
Hiding the Fudo Enterprise login screen requires using the Enhanced RDP Security (TLS) +
NLA security mode.
7. Why the users list in the connection’s properties is incomplete?
The users list in the connection’s properties does not contain users synchronized with the LDAP
service. To assign a connection to an LDAP synchronized user, define a group mapping in the
LDAP synchronization properties or disable the synchronization option for the given user.
8. Why is a user removed from the LDAP/AD server still present on users list?
Deleting a user object from an AD or an LDAP server requires performing the full synchroniza-
tion to reflect those changes on Fudo Enterprise. The full synchronization process is triggered
automatically once a day at 00:00, or can be triggered manually in the LDAP synchronization
settings view.
9. How frequently are users’ definitions synchronized with an LDAP/AD server?
New users definitions and changes in existing objects are imported from the directory service
periodically every 5 minutes. The full synchronization process is triggered automatically once a
day at 00:00.
10. I see * instead of the keystrokes in the session player. Is it possible to see the
actual keyboard input?
Presenting keyboard input qualifies as a sensitive feature and it is disabled by default. Enabling
displaying keystrokes in the session player requires a consent from two superadmin users. Refer
to the Sensitive features topic for the details on enabling this functionality.
11. Can I deactivate a session URL?
Active session URL can be deactivated anytime. URL revoking procedure is described in the
Sessions sharing topic.
12. What should I do before returning a demonstration unit after testing?
After testing Fudo, you should delete all session and configuration data by resetting configuration
to default settings and erase the flash drive with the encryption key.
13. How long does it take for the model to learn? How many sessions do I have to
record to see results?
Models are trained as scheduled in the AI system settings.
• For the SSH model the minimum are 65 sessions (with at least 25 different commands)
and 5 unique predictors (e.g. users). Optimal results require 300 sessions per predictor
(e.g. user) and 10 unique predictors (e.g. users).
• For the RDP model, the minimum are 5 hours of session recordings per predictor (e.g.
user). Optimal results require 30 hors of session recordings and 10 unique predictors (e.g.
users).

538
Fudo Enterprise 5.4 - System Documentation

14. We have 20 accounts and 20 users in our company - how long will it take to see
differences?
This solely depends on the availability of session data. If there is enough session information
available to build models, you can expect model to be trained the next day after first predictor
session is recorded.
• For SSH model the minimum are 65 sessions (with at least 25 different commands) and
5 unique predictors (e.g. users). Optimal results require 300 sessions per predictor (e.g.
user) and 10 unique predictors (e.g. users).
• For RDP model, the minimum are 5 hours of session recordings per predictor (e.g. user).
Optimal results require 30 hours of session recordings and 10 unique predictors (e.g. users).
15. If I connect to different servers, does Fudo create a separate model for each of
them?
Fudo creates and maintains one RDP and one SSH model for a single user.
16. If I give my login credentials to another person, will the AI detect that someone
else has logged in and terminate the session?
Fudo Enterprise will detect that someone else has logged in and will set the session risk status
to high, but it will not terminate the session.
17. Session status icon is yellow all the time - what does it mean?
Yellow color indicates that the model could not determine whether the session poses a threat or
not. Under normal circumstances, these sessions should be considered as non-threatening. But
if you suspect there has been a security incident, these sessions should be reviewed.
18. Five users use the same account to establish connections - will the system be
able to determine who and when has logged in onto the server?
Users must have individual accounts created on Fudo Enterprise so it can correctly determine if
an account security has been breached.
19. How will the system determine that it wasn’t me if we all use the same com-
mands?
Every user runs the same commands differently. E.g. one user will execute ls -la and another
will run ls -al. Combination of such subtle differences allows for determining a if the currently
logged in user matches the profile.
20. Sessions are not analyzed, why is that?
In order for a session to be analyzed, there must be a matching model available. Also, session
has to meet volumetric requirements - it must be long enough and carry enough information.
Refer to AI sessions processing for more information.

539
CHAPTER 31

Glossary

AAPM AAPM (Application to Application Password Manager) module enables secure pass-
word exchange between applications.
account
accounts Account defines the privileged account existing on the monitored server. It specifies
the actual login credentials, user authentication mode: anonymous (without user authen-
tication), regular (with login credentials substitution) or forward (with login and password
forwarding); password changing policy as well as the password changer itself.
Active Directory Users authorization and authentication in Windows domain.
AD Active Directory - users authorization and authentication in Windows domain.
Azure Microsoft Azure is a cloud computing service operated by Microsoft for application
management via Microsoft-managed data centers.
anonymous safe An anonymous safe has at least one anonymous account assigned to it and
it can only have that type of accounts assigned. You cannot assign users to anonymous
safes.
AUROC Area Under ROC curve (AUROC) is a single metric representing model quality (the
higher the better).
ARP Address Resolution Protocol - protocol used for mapping Internet layer addresses (IP
addresses) to the physical - link layer addresses (MAC addresses).
CERB Complete user authentication and authorization solution, supporting different authen-
tication methods i.e., mobile token (mobile phone application), static password, SMS one-
time passwords, etc.
CIDR Short notation of network addressing, in which the IP address is written according to
the IPv4 standard, and the subnet mask is provided as a number of 1 in the subnet mask
in binary system (192.168.1.1 - 255.255.255.0; 192.168.1.1/24).
data retention Data retention mechanism automatically deletes session data after define time
period transpires.

540
Fudo Enterprise 5.4 - System Documentation

DHCP Mechanism for dynamic IP addressing management i LAN networks.

DNS Domain Name Server - name server service which maps IP addresses to hosts names which
are easier to remember.
DUO is a mobile application that works with Duo Security’s two-factor authentication ser-
vice. The application generates passcodes for login and can receive push notifications for
authentication.
Efficiency Analyzer/Productivity Analyzer Efficiency Analyzer/Productivity Analyzer
module delivers statistical information on users’ activity.
external authentication server Server storing user data used for verification of user login
credentials when connecting to Fudo Enterprise or the monitored server.
False Positive Rate False Positive Rate (FPR) is the percentage of legitimate sessions inap-
propriately identified as malicious (the lower the better).
Fingerprint Characters string being a result of a hash function on input data, allowing to
determine if the input data has been altered.
fudopv AAPM module script, installed on the server, which enables secure password exchange
between applications.
heartbeat Network packet used for informing other cluster nodes about machine’s current
state. If a cluster node does not receive a heartbeat packet in a given timeframe, it will
take over the master node role and will start processing users’ requests.
hot-swap Hot-swap mechanism enables replacing hardware components without the necessity
to turn the system off.
LDAP Lightweight Directory Access Protocol - distributed catalog services management and
access protocol in IP networks.
listener Listener determines server connection mode (proxy, gateway, transparent, bastion) as
well as its specifics.
OATH Open Authentication - open standard enabling implementation of strong, two-factor
user and devices authentication.
OCR Optical Character Recognition - image processing for identifying and indexing text.
Okta Okta provides cloud software to manage and secure user authentication into applications.
OpenID Connect OpenID Connect is a simple identity layer on top of the OAuth 2.0 protocol.
password changer Tool which enables facilitating automated password changing on a server.
passwords repository Passwords repository manages password to privileged accounts on mon-
itored hosts.
policy Mechanism which enables defining patterns which in case of being detected will trigger
defined actions.
PSM (Privileged Session Management) PSM module is used for recording remote access
sessions.
PSM PSM (Privileged Session Monitoring) module enables monitoring and recording remote
access sessions.
Public key Authentication method which uses a pair of keys - private (held only by the user)
and public (publicly available) to determine user’s identity.

541
Fudo Enterprise 5.4 - System Documentation

RADIUS Remote Authentication Dial In User Service - networking protocol used to control
access to different services within IT infrastructure.
RDP Remote Desktop Protocol - remote access protocol to computer systems running Microsoft
operating system.
RDP connections broker Remote sessions management mechanism for server farms.
redundancy group Defined group of IP addresses, which in case of a system failure, will be
seamlessly carried over to another cluster node to maintain the availability of the services.
safe Safe directly regulates user access to monitored servers. It specifies available protocols’
features, policies and other details concerning users and servers relations.
server
servers Server is a definition of the IT infrastructure resource, which can be accessed over one
of the specified protocols.
shared session User session which was joined by another user.
SMS is a text messaging service component of most telephone, and mobile device systems.
SSH Secure Shell - networking protocol for secure communication with remote systems.
SSH access Service access to Fudo Enterprise over SSH protocol.
Static password Basic user authorization method which uses login and password combination
to determine users’s identity.
Syslog Events logging standard in computer systems. Syslog server collects and stores log data
from networked devices, which can be later used for analysis and reporting.
Threat Probability Threat probability is a percentage-wise value that reflects a threat level
of the session.
time policy Time policy mechanism enables defining time periods during which users are al-
lowed to connect to monitored hosts.
timestamp Session data hash value, which enables verifying that the data has not been modi-
fied.
True Positive Rate True Positive Rate (TPR), sometimes called Recall - is a percentage of
malicious sessions properly flagged by the model as suspicious (the higher the better).
user User defines a subject entitled to connect to servers within monitored IT infrastructure.
Detailed object definition (i.e. unique login and domain combination, full name, email
address etc.) enables precise accountability of user actions when login and password are
substituted with a shared account login credentials.
VLAN Virtual networks mechanism, enabling separation of broadcast domains.
VNC Remote access protocol to graphical user interfaces.
WWN World Wide Name - unique object identifier in external storage solutions.

542
Index

A DNS, 541
AAPM, 540 DUO, 541
account, 540
accounts, 540
E
Active Directory, 540 editing
AD, 540 servers, 171, 176
administration Efficiency Analyzer/Productivity
configuration export/import, 399 Analyzer, 541
anonymous safe, 540 external authentication server, 541
API
users, 129
F
ARP, 540 False Positive Rate, 541
AUROC, 540 Fingerprint, 541
Azure, 540 fudopv, 541

C H
CERB, 540 heartbeat, 541
CIDR, 540 hot-swap, 541
configuration HTTP
AI, 362 protocol, 8
Network configuration, 346, 355 protocols, 8
notifications, 359 servers, 149
users synchronization, 144
I
connection mode
bastion, 22 import
gateway, 22 servers, 170
proxy, 22 L
transparent, 21
LDAP, 541
creating
listener, 541
servers, 149

D M
Modbus
data retention, 540
protocol, 9
deleting
protocols, 9
servers, 174
servers, 152
deployment scenario
MS SQL
bridge, 20
servers, 153
forced routing, 20
MS SQL (TDS )
DHCP, 541

543
Fudo Enterprise 5.4 - System Documentation

protocol, 9 PSM, 541

protocols, 9 PSM (Privileged Session Management), 541
MySQL Public key, 541
protocol, 10
protocols, 10 R
servers, 155 RADIUS, 542
RDP, 542
N RDP
Network configuration protocol, 10
IP labels, 355 protocols, 10
network interface configuration, 346 servers, 156
network configuration RDP connections broker, 542
routing, 355 RDP connections broker, 434
redundancy group, 542
O
OATH, 541 S
OCR, 541 safe, 542
Okta, 541 secret
OpenID Connect, 541 protocol, 19
protocols, 19
P server, 542
password changer, 541 servers, 542
passwords repository, 541 servers
policy, 541 creating, 149
protocol deleting, 174
HTTP, 8 editing, 171, 176
Modbus, 9 HTTP, 149
MS SQL (TDS ), 9 import, 170
MySQL, 10 Modbus, 152
RDP, 10 MS SQL, 153
secret, 19 MySQL, 155
SSH, 13 RDP, 156
TCP, 19 ssh, 159
Telnet, 17 TCP, 168
Telnet 3270, 16 Telnet, 161
Telnet 5250, 17 Telnet 3270, 163
VNC, 18 Telnet 5250, 165
X11, 19 VNC, 167
protocols sessions
HTTP, 8 commenting, 303
Modbus, 9 filtering, 290
MS SQL (TDS ), 9 play and preview, 293
MySQL, 10 shared session, 542
RDP, 10 SMS, 542
secret, 19 SSH, 542
SSH, 13 SSH
TCP, 19 protocol, 13
Telnet, 17 protocols, 13
Telnet 3270, 16 ssh
Telnet 5250, 17 servers, 159
VNC, 18 SSH access, 542
X11, 19 Static password, 542

Index 544
Fudo Enterprise 5.4 - System Documentation

Syslog, 542

T
TCP
protocol, 19
protocols, 19
servers, 168
Telnet
protocol, 17
protocols, 17
servers, 161
Telnet 3270
protocol, 16
protocols, 16
servers, 163
Telnet 5250
protocol, 17
protocols, 17
servers, 165
Threat Probability, 542
time policy, 542
timestamp, 542
True Positive Rate, 542

U
user, 542
users
access rights, 129
API, 129
roles, 129
users synchronization, 144
configuration, 144

V
VLAN, 542
VNC, 542
VNC
protocol, 18
protocols, 18
servers, 167

W
WWN, 542

X
X11
protocol, 19
protocols, 19

Index 545

Security Onion 2.4 E-Book
No ratings yet
Security Onion 2.4 E-Book
303 pages
Lancashire Dialect Notes
No ratings yet
Lancashire Dialect Notes
7 pages
Security Onion 16 Documentation
100% (1)
Security Onion 16 Documentation
230 pages
Nextcloud Server Administration Manual
No ratings yet
Nextcloud Server Administration Manual
287 pages
Knowage Suite Readthedocs Io en 7.4
No ratings yet
Knowage Suite Readthedocs Io en 7.4
536 pages
Rstudio Server Pro 0.99.893 Admin Guide
No ratings yet
Rstudio Server Pro 0.99.893 Admin Guide
79 pages
SuccessEHS - Technical Specifications 2017-07-05
No ratings yet
SuccessEHS - Technical Specifications 2017-07-05
19 pages
Nuxeo Admin 36052169
No ratings yet
Nuxeo Admin 36052169
214 pages
Old Linux Course Modules
No ratings yet
Old Linux Course Modules
562 pages
Do More With Less - Automating IBM Storage FlashSystem Tasks With REST APIs Scripting and Ansible
No ratings yet
Do More With Less - Automating IBM Storage FlashSystem Tasks With REST APIs Scripting and Ansible
76 pages
Nextcloud Server Administration Manual
No ratings yet
Nextcloud Server Administration Manual
371 pages
Nuxeo Platform 5.5 Administration Documentation
No ratings yet
Nuxeo Platform 5.5 Administration Documentation
173 pages
IPBrick Manual - Referencia - ENV5.2
No ratings yet
IPBrick Manual - Referencia - ENV5.2
280 pages
Securityonion PDF
No ratings yet
Securityonion PDF
246 pages
Netxms Admin
100% (1)
Netxms Admin
368 pages
Nextcloud Server Administration Manual
No ratings yet
Nextcloud Server Administration Manual
531 pages
Nextcloud Server Administration Manual
No ratings yet
Nextcloud Server Administration Manual
289 pages
TAK Server Configuration Guide 5.2
No ratings yet
TAK Server Configuration Guide 5.2
61 pages
Manual Referencia 6 en
No ratings yet
Manual Referencia 6 en
329 pages
Redp 5736
No ratings yet
Redp 5736
78 pages
Redp 5736
No ratings yet
Redp 5736
80 pages
Datapower Redbook
No ratings yet
Datapower Redbook
286 pages
Axway Admguide v5.5.1
No ratings yet
Axway Admguide v5.5.1
692 pages
Manual Referenciav5.3 EN
No ratings yet
Manual Referenciav5.3 EN
354 pages
Dibbler User Guide
No ratings yet
Dibbler User Guide
112 pages
Ida Teams Admin Guide
No ratings yet
Ida Teams Admin Guide
28 pages
IPBrick - OS v5.3 Manual
No ratings yet
IPBrick - OS v5.3 Manual
336 pages
Installing and Deploying IBM Connections
100% (1)
Installing and Deploying IBM Connections
304 pages
Dibbler - A Portable Dhcpv6 User'S Guide: Tomek Mrugalski
No ratings yet
Dibbler - A Portable Dhcpv6 User'S Guide: Tomek Mrugalski
113 pages
Nextcloud Server Administration Manual
No ratings yet
Nextcloud Server Administration Manual
413 pages
IBM Communications Server For Data Center Deployment V7.0: Paper
No ratings yet
IBM Communications Server For Data Center Deployment V7.0: Paper
60 pages
Nextcloud Server Administration Manual
No ratings yet
Nextcloud Server Administration Manual
272 pages
RAC Attack - Oracle Cluster Database at Home: Edited by Jeremy Schneider
No ratings yet
RAC Attack - Oracle Cluster Database at Home: Edited by Jeremy Schneider
246 pages
Tsung - Manual
No ratings yet
Tsung - Manual
108 pages
MirthApplianceDeploymentGuide 3.6.0
No ratings yet
MirthApplianceDeploymentGuide 3.6.0
69 pages
Veyon Admin Manual en - 4.3.0
No ratings yet
Veyon Admin Manual en - 4.3.0
69 pages
Nuxeo Platform 5.8 Administration Documentation
No ratings yet
Nuxeo Platform 5.8 Administration Documentation
256 pages
Nextcloud Server Administration Manual
No ratings yet
Nextcloud Server Administration Manual
317 pages
GSM Manual GOS 3.1 en 20161026
0% (1)
GSM Manual GOS 3.1 en 20161026
302 pages
SG 247943
No ratings yet
SG 247943
160 pages
Soa Best Practices
No ratings yet
Soa Best Practices
160 pages
SpiderNet Administrator Guide R2.2 PDF
No ratings yet
SpiderNet Administrator Guide R2.2 PDF
160 pages
DataPower ServicePlanning Implementation BestPractices
No ratings yet
DataPower ServicePlanning Implementation BestPractices
160 pages
Veyon Admin Manual en - 4.2.5
No ratings yet
Veyon Admin Manual en - 4.2.5
67 pages
Nextcloud Server Administration Manual
No ratings yet
Nextcloud Server Administration Manual
303 pages
Veyon Admin Manual en - 4.2.4
No ratings yet
Veyon Admin Manual en - 4.2.4
67 pages
Nextgen Connect 310 User Guide
No ratings yet
Nextgen Connect 310 User Guide
499 pages
HPE - A00059864en - Us - Onyx For HPE StoreFabric M-Series Ethernet Switch User Manual
No ratings yet
HPE - A00059864en - Us - Onyx For HPE StoreFabric M-Series Ethernet Switch User Manual
1,666 pages
JCE-Developer - Guide-4 6 0
0% (1)
JCE-Developer - Guide-4 6 0
108 pages
Ipaso Vr2 04 GGS-000403-23E Provisioning
No ratings yet
Ipaso Vr2 04 GGS-000403-23E Provisioning
748 pages
Glpi Agent Readthedocs Io en Latest
No ratings yet
Glpi Agent Readthedocs Io en Latest
95 pages
Prosys OPC UA SDK For Java Server Tutorial
No ratings yet
Prosys OPC UA SDK For Java Server Tutorial
54 pages
Nextcloud Server Administration Manual PDF
No ratings yet
Nextcloud Server Administration Manual PDF
299 pages
Palo Alto Networks Administrators Guide
No ratings yet
Palo Alto Networks Administrators Guide
274 pages
Suse Manager Administration Guide
No ratings yet
Suse Manager Administration Guide
230 pages
Veyon Admin Manual en 4.2.0
No ratings yet
Veyon Admin Manual en 4.2.0
57 pages
NB3700 Manual 3.7.0.101
No ratings yet
NB3700 Manual 3.7.0.101
202 pages
Sys Admin
No ratings yet
Sys Admin
83 pages
Laborator2 Utilizarea Tehnicilor de Sortare A Datelor. Algoritmi de Sortare Internă"
No ratings yet
Laborator2 Utilizarea Tehnicilor de Sortare A Datelor. Algoritmi de Sortare Internă"
5 pages
Triduum Prayer Blessed Virgin Mary: GREETINGS: (Everyday)
100% (1)
Triduum Prayer Blessed Virgin Mary: GREETINGS: (Everyday)
2 pages
Computer Programming 3 Midterm Examinations Name: - Score: - Course, Yr & Section
No ratings yet
Computer Programming 3 Midterm Examinations Name: - Score: - Course, Yr & Section
3 pages
1920 3. The Audio Lingual Method
No ratings yet
1920 3. The Audio Lingual Method
63 pages
Microsoft Word - WAB
No ratings yet
Microsoft Word - WAB
3 pages
MATHS 205 Final (2014-2015) (1st)
No ratings yet
MATHS 205 Final (2014-2015) (1st)
11 pages
Memlib Certify
No ratings yet
Memlib Certify
32 pages
Supplications For The Lunar Month The Digital Ambler
No ratings yet
Supplications For The Lunar Month The Digital Ambler
2 pages
Dimensional Analysis and Model Studies - DPP 01
No ratings yet
Dimensional Analysis and Model Studies - DPP 01
3 pages
PS2 Final Exam Description (Online)
No ratings yet
PS2 Final Exam Description (Online)
2 pages
Webquest To The Old West
No ratings yet
Webquest To The Old West
7 pages
Chapter 1: Introduction To Compiler: April 2019
No ratings yet
Chapter 1: Introduction To Compiler: April 2019
14 pages
Third Periodical Test in Math 6
No ratings yet
Third Periodical Test in Math 6
5 pages
Write A Program For Generalized Bresenham's Line Drawing Algorithm
No ratings yet
Write A Program For Generalized Bresenham's Line Drawing Algorithm
4 pages
Galois Theory PDF
100% (1)
Galois Theory PDF
230 pages
Quote #867 (Prem Vidya Industries)
No ratings yet
Quote #867 (Prem Vidya Industries)
2 pages
Data Structrue MCQ's
No ratings yet
Data Structrue MCQ's
170 pages
MM220 - Manual - Eng - WIFI RADIO - SWEEX
No ratings yet
MM220 - Manual - Eng - WIFI RADIO - SWEEX
14 pages
Geg S1
No ratings yet
Geg S1
4 pages
Annual Plan 2025
No ratings yet
Annual Plan 2025
1 page
Conti Rossini, Turajev. Vitae Sanctorum Indigenarum. 1904. Volume 1 - Textus.
100% (1)
Conti Rossini, Turajev. Vitae Sanctorum Indigenarum. 1904. Volume 1 - Textus.
278 pages
A Poem That Has No Title Line Byline Analysis
No ratings yet
A Poem That Has No Title Line Byline Analysis
1 page
Querying The Linked Data Graph Using Owl:Sameas Provenance
No ratings yet
Querying The Linked Data Graph Using Owl:Sameas Provenance
13 pages
Reading and Writing SKills - M1
No ratings yet
Reading and Writing SKills - M1
12 pages
Christianity in Early Africa PDF
No ratings yet
Christianity in Early Africa PDF
48 pages
Listening To Connected Speech PDF
No ratings yet
Listening To Connected Speech PDF
4 pages
Functional English Paper Solution
No ratings yet
Functional English Paper Solution
3 pages
Alice
No ratings yet
Alice
7 pages
(Online Teaching) b1 Preliminary For Schools Speaking Part 3 Vocabulary
0% (1)
(Online Teaching) b1 Preliminary For Schools Speaking Part 3 Vocabulary
9 pages