ekran system v.6.14 deployment guide · prerequisites overview ... quick access to log files ......

Ekran System v.6.15

Deployment Guide

2

Table of Contents

About ........................................................................................................................................ 7

System Requirements ........................................................................................................... 8

Program Structure ............................................................................................................... 11

Deployment Process ........................................................................................................... 13

Server and Database ........................................................................................................... 14

About .................................................................................................................................... 14

Database Types Comparison ............................................................................................ 14

High Availability Mode ........................................................................................................ 16

About ................................................................................................................................. 16

Standard and High Availability Modes Comparison ..................................................... 16

Installing Remote PostgreSQL Database Server ............................................................ 17

Installing/Uninstalling/Updating the Server ....................................................................... 18

Installing the Server ......................................................................................................... 18

Backing up Ekran Master Certificate.............................................................................. 23

Deleting Ekran Master Certificate .................................................................................. 27

Importing Ekran Master Certificate................................................................................. 27

Installing the Server in the Cloud ................................................................................... 28

Adding Server Executable to Windows Firewall ........................................................... 28

Using an External/Cloud-Based Server Computer ....................................................... 31

Updating the Server ......................................................................................................... 32

Uninstalling the Server .................................................................................................... 33

Running Ekran Server Service Under User Account ................................................... 34

Changing Server Port for Client Connection ............................................................... 35

Moving Binary Data to Shared or Local Folder ................................................................ 35

Validating Monitoring Data ................................................................................................. 37

About ................................................................................................................................. 37

Validating Monitoring Data Using Hash Codes ............................................................. 38

Signing Monitoring Data with Certificate........................................................................ 38

Editing Database Parameters ............................................................................................ 42

Cleaning Up Sessions of Deleted Clients ......................................................................... 43

Management Tool ................................................................................................................. 44

About .................................................................................................................................... 44

Management Tool Installation Prerequisites .................................................................... 44

3

Prerequisites Overview ................................................................................................... 44

Turning on Internet Information Service (IIS) ................................................................ 44

Turning on IIS for Windows 8 and Windows 7 ........................................................... 44

Turning on IIS for Windows Server 2008 R2 ............................................................. 45

Turning on IIS for Windows Server 2012 ................................................................... 46

Installing .NET Framework.............................................................................................. 49

Configuring Internet Information Service (IIS)............................................................... 49

Using Certificates ............................................................................................................. 53

Generating Self-Signed Certificate ............................................................................. 53

Exporting Self-Signed Certificate ................................................................................ 54

Importing Trusted Certificate ....................................................................................... 55

Adding Certificate to Trusted Root Certification Authorities ..................................... 56

Setting HTTPS Binding for a Default Web-Site ............................................................ 62

Installing/Uninstalling/Updating the Management Tool ................................................... 63

Installing the Management Tool ..................................................................................... 63

Adjusting Computer for Remote Access........................................................................ 65

Updating Management Tool ........................................................................................... 67

Uninstalling Management Tool ....................................................................................... 68

Opening Management Tool ............................................................................................... 68

Licensing ............................................................................................................................... 70

General Licensing Information ........................................................................................... 70

About Serial Keys................................................................................................................ 71

About Update & Support Period ........................................................................................ 72

Viewing License State ........................................................................................................ 72

Activating Serial Keys Online ............................................................................................. 73

Adding Activated Serial Keys Offline................................................................................. 74

Configuring Proxy Server for Serial Keys Activation ....................................................... 75

Deactivating Serial Keys .................................................................................................... 75

Client License Management .............................................................................................. 76

Windows Clients................................................................................................................... 78

About .................................................................................................................................... 78

Monitoring via Windows Clients ......................................................................................... 78

Installing Windows Clients ................................................................................................. 79

About ................................................................................................................................. 79

Setting up Environment for Remote Installation ........................................................... 79

Windows Client Installation Prerequisites .................................................................. 79

4

Disabling Simple File Sharing in Windows XP .......................................................... 80

Disabling Sharing Wizard in Windows 8.1, Windows 8 and Windows 7 ................. 81

Checking System Services .......................................................................................... 82

Setting up Windows Vista, Windows XP, Windows Server 2003 Firewall .............. 83

Setting up Firewall for Windows 10, Windows 8.1, Windows 8, Windows 7,

Windows Server 2012, Windows Server 2008 .......................................................... 85

Installing Windows Clients Remotely via the Management Tool ................................ 88

About.............................................................................................................................. 88

Selecting Computers .................................................................................................... 88

Remote Windows Client Installation Process ............................................................ 90

Remote Installation from an Existing .INI File ............................................................ 91

Installing Windows Clients Locally ................................................................................. 92

About.............................................................................................................................. 92

Windows Client Installation Package .......................................................................... 92

Generating Windows Client Installation Package.................................................... 100

Installing Windows Clients Locally with Custom Monitoring Parameters .............. 100

Downloading Windows Client Installation File (.exe) .............................................. 101

Installing Windows Clients Locally without .ini File ................................................. 101

Installation via Third Party Software ............................................................................ 101

Installing Windows Client on Amazon WorkSpace ..................................................... 102

Installing Windows Client Remotely Using PsExec .................................................... 102

Cloning a Virtual Machine with Installed Client ........................................................... 103

Unassigning License on Virtual Machine Shutdown .................................................. 103

Golden Image Mode for the Server .......................................................................... 104

Unassigning License via the Script on the Client Side ........................................... 104

Updating Windows Clients ............................................................................................... 105

About ............................................................................................................................... 105

Windows Client Status after Server Update ................................................................ 105

Updating Windows Clients Automatically .................................................................... 105

Updating Windows Client Manually ............................................................................. 106

Reconnecting Windows Clients to Another Server ........................................................ 106

Uninstalling Windows Clients ........................................................................................... 106

About ............................................................................................................................... 106

Client Uninstallation Key ............................................................................................... 107

Uninstalling Windows Clients Remotely ...................................................................... 107

Uninstalling Windows Clients Locally .......................................................................... 108

5

Viewing Windows Clients ................................................................................................. 108

macOS Clients .................................................................................................................... 110

About .................................................................................................................................. 110

Monitoring via macOS Clients ......................................................................................... 110

Installing macOS Client .................................................................................................... 111

About ............................................................................................................................... 111

Downloading macOS Client Installation File ............................................................... 111

Installing macOS Clients ............................................................................................... 111

Uninstalling macOS Clients ............................................................................................. 112

About ............................................................................................................................... 112

Uninstalling macOS Clients Remotely ......................................................................... 112

Uninstalling macOS Clients Locally ............................................................................. 113

Viewing macOS Clients .................................................................................................... 113

Linux Clients ....................................................................................................................... 114

About .................................................................................................................................. 114

Monitoring via Linux Clients ............................................................................................. 114

Remote SSH Session Monitoring ................................................................................. 114

Local Sessions Monitoring (for X Window System) .................................................... 114

Installing Linux Client ........................................................................................................ 115

About ............................................................................................................................... 115

Downloading Linux Client Installation File ................................................................... 115

Installing Linux Clients ................................................................................................... 115

Updating Linux Clients ...................................................................................................... 117

About ............................................................................................................................... 117

Linux Client Status after Server Update ...................................................................... 117

Updating Linux Clients Automatically .......................................................................... 117

Updating Linux Client Manually .................................................................................... 118

Uninstalling Linux Clients ................................................................................................. 118

Viewing Linux Clients........................................................................................................ 118

Tray Notifications Application ......................................................................................... 120

About .................................................................................................................................. 120

Installing/Uninstalling the Tray Notifications Application ............................................... 120

Installing the Tray Notifications Application ................................................................. 120

Uninstalling the Tray Notifications Application ............................................................ 121

Troubleshooting ................................................................................................................. 122

Quick Access to Log Files ................................................................................................ 122

6

Database/Server ............................................................................................................... 122

Database/Server Related Issues ................................................................................. 122

Database/Server Related Error Messages ................................................................. 124

Management Tool ............................................................................................................. 125

Management Tool Related Issues ............................................................................... 125

Management Tool Error Messages .............................................................................. 128

Windows Client.................................................................................................................. 129

Checking that the Client Is Installed............................................................................. 129

Clients Installation/Uninstallation Issues and Error Messages .................................. 131

Linux Client ........................................................................................................................ 136

Checking the State of the Linux Client......................................................................... 136

Restarting Linux Client .................................................................................................. 136

7

About

Welcome to Ekran System!

Ekran System is an application that allows you to record the activity of the target computers with installed Clients and to view the screen captures from these computers in the form of video.

This guide will help you in managing Ekran System components (installing, uninstalling, updating, etc.) and controlling their interaction.

8

System Requirements

Ekran System claims different system requirements for each of its components. Make sure your hardware and software meet the following system requirements to avoid possible component malfunctions.

Ekran System Server requirements:

2-core 2 GHz or higher CPU

4 GB or more RAM

Enterprise-level Ethernet card

Minimum 1 Gbit/s network adapter

Windows Server 2019, Windows Server 2016, Windows Server 2012, and Windows Server 2008 R2 (x64 platform)

Universal C Runtime and Visual C++ Runtime (starting with Ekran System 5.5). Both can be installed via the Microsoft Visual C++ 2015 Redistributable: https://www.microsoft.com/en-gb/download/details.aspx?id=48145

NOTE: The Universal C Runtime needs to be initially installed via update KB2999226:

https://support.microsoft.com/en-us/help/2999226/update-for-universal-c-runtime-in-windows

.Net Framework 4.8

NOTE: If the Server and the Management Tool are to be installed on the same computer, make sure you turn on the Internet Information Service before the installation of .Net Framework 4.8.

[When using MS SQL Database]: Full edition of MS SQL Server 2019, MS SQL Server 2017, MS SQL Server 2016, MS SQL Server 2014, MS SQL Server 2012, MS SQL Server 2008R2. Standard license or higher is required.

[When using PostgreSQL Database]: PostgreSQL 10 or higher.

NOTE: If you want to deploy the Ekran System in the High Availability mode, enabled Message Queueing and configured NLB cluster are required. Please refer to the High Availability Deployment Guide for more information.

Management Tool requirements:

2-core 2 GHz or higher CPU

4 GB or more RAM

100 Mbit/s network adapter

Windows 10, Windows 8.1, Windows 8, Windows 7 (any edition except Home);

[recommended] Windows Server 2019, Windows Server 2016, Windows Server 2012, and Windows Server 2008 R2 (starting from SP1 version). Both x86 and x64 platforms are supported.

.Net Framework 4.8

https://www.microsoft.com/en-gb/download/details.aspx?id=48145



9

IIS 7.5 or higher with enabled ASP.NET 3.5 and 4.5 support (4.6 for Windows Server 2016)

[For accessing the Management Tool locally or remotely] One of the following browsers:

Google Chrome 37 or higher Mozilla Firefox 32 or higher Internet Explorer 10 or higher Safari S6 and Safari S5 Opera 15 or higher

NOTE: The Management Tool might be opened in other browsers, but its compatibility with other browsers is not guaranteed.

Windows Client requirements:

1 GHz or higher CPU

512 MB or more RAM


Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Vista, Windows XP SP3; Windows Server 2019, Windows Server 2016, Windows Server 2012, Windows Server 2008, and Windows Server 2003 SP1. Both x86 and x64 platforms are supported. NOTE: Due to the new SHA-256 code signing, on Windows 7 SP1 and Windows Server 2008 R2 SP1, the Microsoft Security Advisory update 3033929 needs to be installed:

https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2015/3033929

Citrix XenDesktop; Citrix XenApp; Citrix XenDesktop/XenApp with Citrix Provisioning Services (PVS).

It is recommended to have not less than 500MB of free space on the disk where the Client is installed to save data during the offline session.

macOS Client requirements:

2.26GHz Intel Core 2 Duo or higher CPU

2GB RAM


macOS 10.9 and later


Linux Client requirements:

1 GHz or higher CPU

512 MB or more RAM


https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2015/3033929

10


Linux Kernel 2.6.32 and higher

Distributor Base OS Versions Supported

Debian Debian

Ubuntu

Linux Mint

9.0, 8.0, 7.0

18.04, 16.0, 15.0, 14.0, 12.0

17.xx - 13

openSUSE Suse Linux Enterprise Server 12(SP1, SP2, SP3), 11(SP2, SP3,

SP4)

RedHat RedHat

CentOS

Oracle Linux

7.0, 6.0

7.x , 6.x

7.x - 5.6

Sun Microsystems Solaris 11.0, 10.0

IBM AIX 7.2, 7.1

The monitoring of graphical interface for X Window System is supported on the following operating systems:

OS Versions Supported

Ubuntu Ubuntu 18.04.1 LTS, Ubuntu 16.04.5 LTS, Ubuntu 16.04.2,

Ubuntu 14.04.5 LTS, Ubuntu 14.04.2, Ubuntu 12.04.1, Ubuntu

14.04 LTS

Red Hat Red Hat 7.0 – 7.6, Red Hat 6.0 – 6.10

CentOS CentOS 7.1 – 7.5, CentOS 6.1 – 6.9

Suse Linux Enterprise

Server

12(SP1, SP2, SP3)

NOTE: When the Client is installed to the terminal server, hardware requirements depend on the number of active user sessions and may increase drastically. For example, hardware requirements for the Client deployed on the terminal server hosting 10 active user sessions will be as follows:

Intel Core i3 or similar AMD CPU

2048 MB RAM

11

Program Structure

Ekran System is an application specially designed to control user activity remotely.

Ekran System includes the following components:

Ekran System Server (further referred to as Server): It is the main part of the Ekran System used for storing the screenshots and associated information received from the Clients. The work of the Server can be started or stopped via Server Tray.

Ekran System Management Tool (further referred to as Management Tool): It is a central administrative unit that allows you to control and manage Clients, Users, USB Monitoring Rules, Alerts, Server database, and Serial Keys. You can have access to the Management Tool from any computer in the network without having to install it on this computer.

Ekran System Session Viewer provides a usable interface for quick review of the monitored data received from the Ekran System Clients.

Ekran System Windows Clients (further referred to as Windows Clients): Being hosted on the remote computers, Windows Clients create screenshots with the defined frequency and send them to the Server along with metadata information such as user name, host name, activity time, active window titles, application names, URL addresses, clipboard text data, keystrokes, etc. Managing the remote Windows Clients configuration and settings is performed via the Management Tool.

Ekran System macOS Clients (further referred to as macOS Clients): Being hosted on the remote computers, macOS Clients create screenshots with the defined frequency and send them to the Server along with metadata information such as user name, host name, activity time, active window titles, application names, URL addresses, etc. Managing the remote macOS Clients configuration and settings is performed via the Management Tool.

Ekran System Linux/Unix Clients (further referred to as Linux Clients): Being hosted on the remote computers, Linux Clients capture input/output terminal data (including all executed commands) and send this interactive data to the Server.

Ekran System Tray Notifications application (further referred to as Tray Notifications application): This application allows receiving notifications on alert events on Clients.

13

Deployment Process

The Ekran System installation consists of several steps:

1. Installing the Server: To deploy the system, first of all you need to install the Server. The Server is used to store and process all records sent by the Clients hosted on the remote computers. During the Server installation you can select the type of the database and define administrator credentials.

NOTE: You can deploy the Ekran System in the High Availability mode, which allows you to work with multiple Server instances in the Network Load Balancer cluster. This would provide a high level of operational performance, which allows minimizing downtime and service interruptions. Please refer to the High Availability Deployment Guide for more information.

2. Completing Management Tool installation prerequisites: To install and run the Management Tool, you need to turn on the Internet Information Service on your computer, add the self-signed or trusted certificate to the Trusted Root Certification Authorities and set HTTPS binding for a default web site (or any other IIS site).

3. Installing the Management Tool: The Management Tool is used to manage Users, Clients, Alerts, and Database, as well as to view the monitored data received from Clients. Connection with the Server is required for the Management Tool to operate.

4. Activating serial keys (adding activated serial keys): To be able to receive data from the Clients, you need to license the Clients by activating purchased serial keys. You can also activate an Enterprise serial key to get an access to the enterprise features of the Ekran System during the unlimited period of time.

5. Installing Clients:

Installing Windows Clients: The Windows Clients are usually installed remotely via the Management Tool. A Windows Client can be installed on any computer in the network.

Please note that several conditions have to be met for successful remote Client installation.

Installing macOS Clients: The macOS Clients are installed locally.

Installing Linux Clients: The Linux Clients are installed locally.

6. Installing the Tray Notifications application: The Tray Notifications application can be installed on any computer and as long as there is connection to the Server; the Tray Notifications application displays notifications on all alert events received from Clients. For more information, see the Tray Notifications application help file.

After installing all the system components, Ekran System is considered deployed and all its features become available.

14

Server and Database

About

The Server is the main component of the system, which provides interaction between other components. The Server stores all monitored data, user accounts, and system settings in the database.

Database Types Comparison

When installing the Server, you can choose between two types of databases (MS SQL database and PostgreSQL database). These databases have the following differences:

Feature MS SQL Database PostgreSQL Database

General

Commercial/open-source

Commercial database from Microsoft

Open source product

Free ✘ (has a limited free version)

NOTE: Using MS SQL Express does not guarantee the stable work of the Server.

✔

Requires additional software installation

✔ ✔

Scalability

Remote access to database

✔

(a separate database engine that can be deployed on a separate server)

✔

(a separate database engine that can be deployed on a separate server)

Clustering support

✔

✔

(Primary-Standby)

Network drives support

✔ ✔ (if mount as drive)

15


Performance

Processing speed

High High

Efficient caching algorithms

✔ ✔

Index statistics update

Automatic Manual

Memory/process usage

A separate process, more efficient memory usage, quotas can be applied

A separate process, more efficient memory usage, quotas can be applied

Additional features

o Maintenance tasks can be

executed by the engine

independently

o Complex execution plans

optimizations

o Cross-platform. It can be run on

variety of systems and platforms

(Windows, Linux, macOS, BSD,

Solaris)

o A lot of third-party solutions for

replications and clustering

Requires additional software installation

✔ ✔

Safety and security

Security High. Keystroke encryption is supported

High. Keystroke encryption is supported

Safety o Database corruption is unlikely

o Replications

o Сan be managed via Microsoft

native tools

o Support scheduled

maintenance: reindexing, shrinking

etc.

o Database corruption is unlikely

o Replications

Backup Flexible backup logic

(to learn more about the MS SQL database backup, visit the

Flexible backup logic

(to learn more about the PostgreSQL database backup, visit

16


Microsoft website at https://docs.microsoft.com/en-us/sql/relational-databases/backup-restore/full-database-backups-sql-

server?view=sql-server-2017 )

the PostgreSQL website at https://www.postgresql.org/docs/9.1/sta

tic/backup.html )

High Availability Mode

About

The High Availability mode allows you to configure and deploy Ekran System in such a way that it can work with multiple Server instances in the Network Load Balancer cluster. This would allow balancing the load of data sent to the servers by Ekran Clients and ensure data integrity in case any of the instances goes offline for any number of reasons.

NOTE: The High Availability mode is available only if you have an activated Enterprise serial key.

Standard and High Availability Modes Comparison

The Standard and High Availability modes have the following differences:

Feature Standard Mode High Availability Mode

Serial key types One of the following serial keys:

Permanent

Trial

Update and support

Enterprise serial key and one of the following keys:

Permanent

Trial

Update and support

Database type MS SQL or PostgreSQL MS SQL or PostgreSQL

Number of Servers One Multiple

System requirements Standard system requirements.

Standard system requirements, enabled Message Queueing, and configured NLB cluster.

https://docs.microsoft.com/en-us/sql/relational-databases/backup-restore/full-database-backups-sql-server?view=sql-server-2017




https://www.postgresql.org/docs/9.1/static/backup.html

https://www.postgresql.org/docs/9.1/static/backup.html

17

Additional Software None NLB cluster

NOTE: We recommend using Windows NLB. We cannot guarantee the High Availability Mode to function with other load balancers correctly.

Component connection

Physical IP address Logical IP address

Recommended for Average number of Client computers.

Large number of Client computers.

Installing Remote PostgreSQL Database Server

When using the remote PostgreSQL database server, you need to open the ports to ensure the connection between the Ekran Server and PostgreSQL database.

To install the remote PostgreSQL database server, do the following:

1. Download PostgreSQL 10 or higher. You can download it from the PostgreSQL official website at https://www.postgresql.org/download/

2. Run the installation file on the computer.

3. On the machine with the installed PostgreSQL database, navigate to the folder with the postgresql.conf file. By default, C:\Program Files\PostgreSQL\<version number>\data. 4. Open the postgresql.conf file. 5. In the postgresql.conf file, define the listen_addresses parameter as ‘*’ or type the external IP address. 6. Save the changes. 7. In the same folder, open the pg_hba.conf file. 8. To allow non-local connections, add the host record in the IPv4 local connections group:

Type: host

Database: all

User: all

Address: IP address of the Ekran Server/subnet mask. Please note, if you use NAT in your network, you should define the external IP address.

Method: md5 9. Save the changes. 10. Restart the PostgreSQL service. 11. On the Ekran Server and PostgreSQL machines, in the Windows Firewall, allow the TCP connection to port 5432.

https://www.postgresql.org/download/

18

Installing/Uninstalling/Updating the Server

Installing the Server

To install the Server, do the following:

1. Run the EkranSystem_Server.exe installation file.

2. Click Next on the Welcome page.

3. Carefully read the terms of the End-User License Agreement and click I Agree.

4. On the Choose Components page, do one of the following and click Next:

In the drop-down list, select Ekran System Server.

Select Ekran System Server in the box.

5. On the Choose Install Location page, enter the installation path or click Browse to navigate to the Server installation folder. Click Next.

19

6. On the Database Type page, select the type of database you want to use for storing data. Click Next. See the Database Types Comparison chapter, to see the difference and choose the proper type of the database.

NOTE: If you have already created database, select its type, and then define the connection parameters for this database.

7. If you have selected the PostgreSQL database, on the PostgreSQL Server Database Configuration page, define the connection parameters and then click Next.

20

Define the PostgreSQL Server instance name, which is the instance name assigned to the TCP/IP port. Optionally, you can define the custom PostgreSQL database port by entering it after the Server instance name and separating with colon (e.g.,<server_instance_name>:<port>). NOTE: If the default instance of the PostgreSQL is used, enter localhost in the Server instance field.

Define the Database name for the database.

Define the User name and Password of a user account via which the connection to the Server will be established. NOTE: By default, it is a user with the login postgres and the password defined during the PostgreSQL installation.

8. If you have selected MS SQL Server, on the MS SQL Server Database Configuration page, define the connection parameters and then click Next.

Define the MS SQL Server instance name, which is the instance name assigned to the TCP/IP port. Optionally, you can define the custom MS SQL database port by entering it after the Server instance name and separating with comma (e.g.,<server_instance_name>,<port>).

Define the Database name for the database.

Define the User name and Password of a user account via which the connection to the Server will be established. NOTE: You have to define either the SA credentials or the credentials of the user with the dbcreator permission.

21

9. If you already have a database created manually or during the usage of previous program versions, you will be offered to use it. If you want to use the existing database, click Yes. In other case, click No and the new database will be created. NOTE: If you click No, the existing database will be deleted.

10. On the Administrator password page, define the password for the administrator (the default user of Ekran System with login admin and full permissions). Click Next.

22

11. On the Ekran System Client Uninstallation Key page, enter the key that will be used during the Client local uninstallation and click Next. By default, the Uninstallation key is allowed. You will be able to change this key via the Management Tool any time later.

12. Click Install.

13. The process of installation starts. Its progress is displayed on the Installing page.

14. After the end of the installation process, click Finish to exit the wizard.

23

15. If you are installing the Server for the first time, back up EkranMasterCertificate. The backed up certificate might be required for Server recovery or during updates.

16. If you already have a backed up master certificate and are re-using the database, delete the master certificate and import the backed up one instead of it.

17. In Windows Firewall, you must allow the Server executable to accept TCP connections via ports 9447 (for the connection between the Server and the Clients), 22712, 22713, and 22714 (for the connection between the Server and the Management Tool). These rules will be added to Windows Firewall automatically, if Windows Firewall is enabled during the Server installation.

Backing up Ekran Master Certificate

To back up Ekran Master Certificate, do the following:

1. On the Ekran Server computer with the certificate you want to back up, press Windows+R, type mmc in the Run text box and press Enter.

2. In the opened User Account Control window, click Yes.

3. In the Console window, select File > Add/Remove Snap-in.

4. In the Add or Remove Snap-ins window, select Certificates and click Add.

24

5. In the Certificates Snap-in window, select the Computer account option and click Next.

6. In the Select Computer window, select the Local computer option and click Finish.

25

7. In the Add or Remove Snap-ins window, click OK.

8. In the Certificates (Local computer) tree-view, select Personal > Certificates.

9. Select EkranMasterCertificate and in its context menu select All Tasks > Export.

10. The Certificate Export Wizard opens.

11. On the Certificate Export Wizard Welcome page, click Next.

12. On the Export Private Key page, select the Yes, export the private key option and click Next.

13. On the Export File Format page, select the following options :

Personal Information Exchange

Include all certificates in the certification path if possible

Export all extended properties

14. Click Next.

26

15. On the Security page, select the Password option and enter the password in the Password and the Confirm password fields. Click Next.

NOTE: Make sure that you remember the password since you will need it when restoring the certificate or transferring it to another server.

16. On the File to Export page, specify the location to store the certificate and the certificate name manually or click Browse, and click Next.

17. On the Completing the Certificate Export Wizard page, click Finish.

NOTE: You will need the certificate for reinstalling the Server, moving it to another computer, or creating the High Availability cluster.

27

Deleting Ekran Master Certificate

To delete Ekran Master Certificate, do the following:

1. On the Ekran Server computer, press Windows+R, type mmc in the Run text box and press

Enter.








9. Select EkranMasterCertificate and in its context menu select Delete.

10. Click Yes in the confirmation message.

Importing Ekran Master Certificate

To import Ekran Master Certificate, do the following:

1. On the Ekran Server computer, press Windows+R, type mmc in the Run text box and press

Enter.








9. In the Console window, select Actions > All Tasks > Import.

10. The Certificate Import Wizard opens.

11. On the Certificate Import Wizard Welcome page, click Next.

12. On the File to Import page, click Browse and select the file with the backed up certificate.

Click Next.

13. On the Private key protection page, enter the password and click Next.

14. On the Certificate Store page, select the Place all certificates in the following folder option,

click Browse, and select the Personal node. Click Next.

15. On the Completing the Certificate Export Wizard page, click Finish.

28

Installing the Server in the Cloud

To install the server in the cloud, do the following:

1. In the cloud, install the Server in a usual way. 2. In the cloud management console, allow the Server executable to accept TCP connections

via ports 9447 (for the connection between the Server and the Clients), 22712, 22713, and 22714 (for the connection between the Server and the Management Tool).

NOTE: It is recommended to install the Server and Management Tool on the same computer.

Adding Server Executable to Windows Firewall

Please note that Windows Firewall will be adjusted automatically, if it is enabled during the Server installation. If you use any other Firewall, it should be adjusted as well.

To add the Server executable to the Windows Firewall, do the following:

1. In the Control Panel, select System and Security > Windows Firewall.

2. In the Windows Firewall window, click Advanced settings.

3. In the Windows Firewall with Advanced Security window, right-click Inbound Rules and select New rule.

29

4. The New Inbound Rule Wizard opens.

5. On the Rule Type page, select Program and click Next.

6. On the Program page, select This program path, then click Browse and navigate to the Server executable. The default path is "C:\Program Files\Ekran System\Ekran System\Server\EkranServer.exe ". Click Next.

7. On the Action page, select Allow the connection and then click Next.

30

8. On the Profile page, select the profile of the network used for connecting remote computers and the Server. Click Next.

9. On the Name page, define the Name of the rule. Click Finish.

10. The rule is created for the Server application. By default, the rule allows any connections via all ports.

11. To define the protocol and ports, double-click the created rule. The Ekran Properties window opens.

31

In the Protocols and Ports tab, do the following:

In the Protocol Type list, select TCP.

In the Local port list, select Specific Ports. Type the following port numbers in the box below:

o 9447 (for the connection between the Server and the Clients)

o 22713 and 22714 (for the connection between the Server and the Management Tool)

o 22712 (for the connection between the Server and the Tray Notification Application)

12. Click Apply to save changes. Click OK.

13. Close the Windows Firewall window.

Using an External/Cloud-Based Server Computer

If your Server is not in the same network as Clients or the Management Tool, do the following:

1. Make sure your Server has a unique external IP address.

2. Specify this address when installing the Management Tool and installing the Client.

32

Updating the Server

The updating of the Server is performed via the installation file of a newer version. During an update you may select to update the existing database to a newer version or simply reinstall it.

To update the Server, do the following:

1. Run the EkranSystem_Server.exe installation file.

2. On the Welcome page, click Next.

3. On the Already Installed page, select Update/Add/Remove components and click Next.

4. On the Choose Components page, select Ekran System Server and click Next.

5. On the Database Update page, if you want to keep the existing database, select Update database to a new version, otherwise select Reinstall the database. Click Next.

NOTE: To change the type of a database, you need to reinstall the whole system.

6. On the Administrator password page, define the password for the administrator (the default user of Ekran System with login admin and full permissions). Click Next.

7. The update process starts.

8. After the end of the update process, click Finish to exit the wizard.

9. If you are updating Server from version lower than 5.5, back up EkranMasterCertificate .

10. If you are updating Server from version 5.5 and higher, make sure that the master certificate is correct. If necessary import it from the backed up copy.

33

Uninstalling the Server

The Server uninstallation is an irreversible operation, during which the database is removed without any user confirmations.

NOTE: Before uninstalling the Server, make sure you have uninstalled all the Clients from the remote computers. If you don't uninstall the Clients, they will remain installed on the remote computers and collect the data locally. It will be impossible to remove them in a common way.

To uninstall the Server from the local computer, do the following:

1. Run the EkranSystem_Server.exe installation file or click Uninstall/Change on the Ekran System application in the Programs and Features window of the Windows Control Panel.

2. The setup wizard opens.


4. On the Already Installed page, select Uninstall and click Next.

5. On the Uninstall Ekran System page, click Uninstall.

34

6. If you want to delete the database, click Yes in the confirmation message. In other case, click No and you will be able to use the saved database during the next installation of the program.

7. Wait for the uninstallation process to complete.

Running Ekran Server Service Under User Account

When running the Ekran Server service under a user account, and not under the LocalSystem account, make sure to assign the necessary rights to this user account.

To configure user rights, do the following:

1. Log in as administrator.

2. Press the Win+R keys to open Run, type secpol.msc, and then click OK.

35

3. The Local Security Policy window opens.

4. Navigate the console tree to Local Computer Policy\Windows Settings\Security Settings.

5. Expand the Local Policies node, and click User Rights Assignment.

6. Add the user account name that is being used by Ekran Server service to the following policies and click OK:

Act as part of operating system

Impersonate a client after authentication

Log on as a service

Replace a process level token

NOTE: Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.

Changing Server Port for Client Connection

Ekran System allows you to define the Ekran Server port via which the Clients connect to the Server. By default, it is set to 9447

To define the custom port, change the PortSecure value in the Server registry (HKEY_LOCAL_MACHINE\SOFTWARE\Ekran System), and then define the same value in the RemotePort parameter.

Moving Binary Data to Shared or Local Folder

If necessary, you can store binary data received from Clients in the shared or local folder on your computer. This might be necessary for storing large amounts of data.

This feature has the following limitations:

36

Shared Folders on mapped and mounted disks cannot be used for storing binary data.

After you select to store binary data in the shared folder instead of MS SQL database, the already existing screenshots will no longer be displayed (only metadata will be available for them). The newly received screenshots will be displayed.


NOTE: If the folder for storing binary data is not accessible for some reason, the monitoring data will be written to the local cache and will be automatically sent to the Server as soon as the connection with the folder is restored. You can view information about error events on the Health Monitoring page.

To move binary data to the shared folder, do the following:

1. Stop the Server by clicking Stop in the context menu of the Server icon in the notification area or find the EkranServer service in the Task Manager and click Stop. 2. In the Registry Editor window, click Edit > New > String value and add a new value:

Value type: String

Value name: StorageDirectory

Value data: Shared Folder location as \\<computer IP>\<folder path> or \\<computer name>\<folder path>

3. To access binary data in the shared folder on a different computer from your Server, do the following:

Open Computer Management.

In the Computer Management window, open Services and Applications > Services.

In the Services pane, find the EkranServer service and select Properties in the context menu.

In the EkranServer Properties window navigate to the Log On tab.

In the Log On tab, select the This account option, specify the credentials for the EkranServer service to start under, and click Apply. Make sure the user with the specified credentials has administrator permissions or permissions to start/stop the EkranServer service on your Server computer and read/write permissions for the shared folder on the different computer.

Restart the service.

37

4. Start the EkranServer service to continue working with the program.

Validating Monitoring Data

About

If necessary, you can enable the validation of monitoring data of Windows Clients, which allows checking that data integrity in the database has not been altered. It can be enabled for PostgreSQL and MS SQL databases.

Two types of monitoring data validation are available:

Calculating hash codes for monitoring data: in this case, the hash codes will be calculated for each screenshot and metadata record received from Windows Clients.

Signing monitoring data with certificate: in this case, each screenshot and metadata record received from Windows Clients will be signed with the trusted certificate.

NOTE: If both types of validation are enabled, only signing monitoring data with certificate will be used.

After validation of monitoring data is enabled or validation type is changed, all previously recorded sessions of Windows Clients will be considered as invalid.

With enabled validation of the monitoring data, the integrity of monitoring data within a Windows Client session is checked on the session opening via the Session Player. If some screenshots or metadata records have been deleted or modified, the warning message “Session data is not valid!” will be displayed in the Session Player.

NOTE: When the validation of monitoring data is enabled, the CPU usage will rise while viewing the Client sessions in the Session Player.

NOTE: After the enabling validation of monitoring data, for existing sessions, that were not viewed before, screenshots will not be shown.

38

Validating Monitoring Data Using Hash Codes

To enable calculating of hash codes for monitoring data, do the following:

1. Stop the Server by clicking Stop in the context menu of the Server icon in the notification area or find the EkranServer service in the Task Manager and click Stop. 2. Open the Windows Registry Editor. 3. In the Registry Editor window, select the HKEY_LOCAL_MACHINE\SOFTWARE\EkranSystem key. 4. Select Edit > New > DWORD (32-bit) Value and define the following:

Value name: SignMonitoredData

Value data: 1 5. Start the EkranServer service to continue working with the program.

Signing Monitoring Data with Certificate

To enable signing of monitoring data with certificate, you have to do the following on the Ekran Server computer:

Step 1. Import the trusted purchased certificate or the self-signed one.

Step 2. Create a special string value in the Windows Registry.

Step 1. Importing Trusted Certificate

1. On the Ekran Server computer, press Windows+R, type mmc in the Run text box and press Enter.




39


6. In the Select Computer window, select the Local computer: (the computer this console is running on) option and click Finish.


8. In the Certificates (Local computer) tree-view, find the Personal node.

9. In the context menu of the Personal node, select All Tasks > Import.



12. On the File to Import page, specify the location and name of the certificate to be imported manually or click Browse, and then click Next.

40

13. If required, on the Private key protection page, enter the password for the private key and then click Next.

14. On the Certificate Store page, click Next.

41

15. On the last page of the Certificate Import Wizard, click Finish, and then click OK in the confirmation message. 16. Select Certificates (Local Computer) > Personal > Certificate and double-click the imported certificate. 17. In the Certificate window, select Details > Thumbprint and then copy the Thumbprint value.

42

Step 2. Enabling Monitoring Data Signing with Certificate

1. Stop the Server by clicking Stop in the context menu of the Server icon in the notification area or find the EkranServer service in the Task Manager and click Stop. 2. Open the Windows Registry Editor. 3. In the Registry Editor window, select the HKEY_LOCAL_MACHINE\SOFTWARE\EkranSystem key. 4. Select Edit > New > String Value > and add a new value:

Value name: SignMonitoredDataCert

Value data: <copied Thumbprint value of the imported certificate (without spaces)>

5. Start the EkranServer service to continue working with the program.

Editing Database Parameters

Database parameters defined during the Ekran System Server installation can be changed via the Server Tray application.

To change the database parameters, do the following:

1. Right-click the Server Tray icon in the notification area and select Database Parameters.

2. In the Database Parameters window, in the Metadata Storage group, define the

following parameters:

Select the type of database you want to use for storing data.

NOTE: The already existing data will not be migrated.

Define the Host Name or IP address of the SQL server.

Define the SQL Server user name and password in the corresponding fields. 3. In the Binary Data Storage group, select one of the following:

For small deployments, select the SQL Database option to store binary data

received from Clients in the SQL database. In this case, all data received during the

monitoring will be stored on the computer with the installed SQL Server.

For medium and large deployments, select the File System option to store binary data received from Clients in the shared or local folders, and then define the path to the required folder:

o The shared folder location must be defined as \\<computer IP>\<folder path> or \\<computer name>\<folder path> (e.g., \\admin-pc\SharedFolder). o The local folder location must be defined as <folder path> (e.g., C:\BinaryDataFolder).

NOTE: If the folder for storing binary data is not accessible for some reason, the monitoring data will be written to the local cache and will be automatically sent to the Server as soon as the connection with the folder is restored. You can view information about error events on the Health Monitoring page.

4. Click OK.

5. Restart the Ekran System Server service.

43

Cleaning Up Sessions of Deleted Clients

There may be a situation where after the deletion of Clients their sessions still remain in the

database. You can delete such "lost" sessions via the Server Tray application.

To clean up sessions of deleted Clients, do the following:

1. Right-click the Server Tray icon in the notification area and select Database Parameters.

2. The Database Parameters window opens.

3. On the Advanced tab, click the Clean up lost sessions button.

4. The cleanup of sessions of deleted Clients starts. You can view the cleanup progress in the

Management Tool (Configuration -> Database Management).

44

Management Tool

About

The Management Tool is the component for managing the whole system and viewing monitored data received from Clients. It can be installed on any computer, but a network connection to the Server is required for the Management Tool to operate. There can be several computers with the installed Management Tool in the system. The work with the Management Tool is performed via your browser.

Management Tool Installation Prerequisites

Prerequisites Overview

The following prerequisites are necessary for successful installation of the Management Tool. For Windows 7, it is important that you follow these steps in correct order.

To be able to install the Management Tool, you need to:

1. Turn on the Internet Information Service.

2. Install .NET Framework.

3. Configure the Internet Information Service.

4. Generate a self-signed certificate or import a purchased SSL certificate issued for the computer, on which the Management Tool will be installed.

5. Add the certificate to the Trusted Root Certification Authorities on the computer, on which the Management Tool will be installed. Otherwise a certificate error will be displayed in your browser when opening the Management Tool.

6. Set HTTPS binding for a default web site (or any other IIS site).

NOTE: If you already have a certificate generated for the computer on which the Management Tool will be installed, you can skip certificate generation step and use an existing certificate.

Turning on Internet Information Service (IIS)

Turning on IIS for Windows 8 and Windows 7

To turn on the Internet Information Service for Windows 8 and Windows 7, do the following:

1. Select Control Panel > Programs and Features (Program uninstallation).

45

2. Click the Turn Windows features on or off navigation link.

3. The Windows Features window opens.

4. In the features tree-view, select the Internet Information Services option.

5. Click OK.

Turning on IIS for Windows Server 2008 R2

To turn on the Internet Information Service for Windows Server 2008 R2, do the following:

1. In the Start menu, select All Programs > Administrative Tools > Server Manager.

2. In the navigation pane, select Roles, and then click Add Roles.

46

3. The Add Roles Wizard opens.

4. On the Before You Begin page, click Next.

5. On the Server Roles page, select Web Server (IIS), click Next, and then go to the Role Services page to start configuring Web Server (IIS).

Turning on IIS for Windows Server 2012

The Internet Information Service can be turned on using the Windows PowerShell or Windows Server 2012 Server Manager.

To turn on the Internet Information Service for Windows Server 2012 using Windows PowerShell, do the following:

1. In the Start menu, select Windows PowerShell.

2. Enter the following command and click Enter:

Install-WindowsFeature -Name Web-Server, Web-Mgmt-Tools

47

To turn on the Internet Information Service for Windows Server 2012 using Server Manager, do the following:

1. In the Start menu, select Server Manager.

2. In the navigation pane, select Dashboard, then click Manage > Add roles and features.

3. The Add Roles and Features Wizard opens.

4. On the Before You Begin page, click Next.

5. On the Installation type page, select Role-based or feature-based installation, and then click Next.

6. On the Server Selection page, select Select a server from the server pool, select your server from the Server Pool list, and then click Next.

48

7. On the Server Roles page, select Web Server (IIS), click Next and then click Add Features to start configuring Web Server (IIS).

49

Installing .NET Framework

The .NET Framework 4.8 is included in the the Windows 10 (version 1903).

If your version of Windows does not have the .NET Framework 4.8, you can download it from the official Microsoft website. The .NET Framework requires administrator privileges for installation.

Configuring Internet Information Service (IIS)

Windows 10 Make sure that all the following options are selected in the Windows Features window and then click OK:

.NET Framework 4.6 Advanced Services;

Internet Information Services > Web Management Tools > IIS Management Console;

Internet Information Services > World Wide Web Services > Application Development Features > ASP.NET 3.5, ASP.NET 4.6, and WebSocket Protocol.

Internet Information Services > World Wide Web Services > Common HTTP Features > Static Content.


.NET Framework 4.5 Advanced Services;

https://dotnet.microsoft.com/download/dotnet-framework

50


Internet Information Services > World Wide Web Services > Application Development Features > ASP.NET 3.5, ASP.NET 4.5, and WebSocket Protocol;




Internet Information Services > World Wide Web Services > Application Development Features > ASP.NET;


51

Windows Server 2016

1. In the Add Roles and Features Wizard window, on the Server Roles page, make sure that the Web Server (IIS) option is selected and then click Next.

2. On the Features page, make sure that the following option is selected:

3. .NET Framework 4.6 Features > .NET Framework 4.6 and ASP.NET 4.6

4. Click Next. 5. On the Web Server Role IIS page, click Next. 6. On the Role Services page, select the ASP.NET 4.6 option (under

Application Development).

7. Click Next and then click Add Features. 8. On the Role Services page, make sure that the following options

are selected:

Application Development >

.NET Extensibility 4.6

ASP.NET 4.6

ISAPI Extensions

ISAPI Filters

WebSocket Protocol

9. Click Next and then click Install. 10. After the end of installation, click Close.

52

Windows Server 2012

1. In the Add Roles and Features Wizard window, on the Server Roles page, make sure that the Web Server (IIS) option is selected and then click Next.

2. On the Features page, make sure that the following option is selected:

.NET Framework 4.5 (Installed) > ASP.NET 4.5

3. Click Next. 4. On the Web Server Role IIS page, click Next. 5. On the Role Services page, select the ASP.NET 4.5 option (under Application Development).

6. Click Next and then click Add Features. 7. On the Role Services page, expand Application Development, and make sure that the following options are selected:

.NET Extensibility 4.5

ISAPI Extensions

ISAPI Filters

WebSocket Protocol 8. Click Next and then click Install. 9. After the end of installation, click Close.

Windows Server 2008

1. In the Add Roles Wizard window, on the Role Services page, make sure that the following options are selected:

Common HTTP Features > Static Content;

Application Development > ASP.NET. 2. Click Next and then click Add Required Role Services. 3. On the Role Services page, make sure that the following options are selected:

Management Tools > IIS Management Console.

4. Click Next and then click Install. 5. After the end of installation, click Close.

53

Using Certificates

Generating Self-Signed Certificate

To generate a self-signed certificate on the machine, on which you will install the Management Tool, do the following:

1. Open the Internet Information Service Manager:

For Windows 8 or Windows 7: Open Computer > Manage > Services and Applications > Internet Information Services (IIS) Manager.

For Windows Server 2012 or Windows Server 2008: Press Windows+R, enter inetmgr in the Run window and then press Enter.

NOTE: Using the inetmgr command is a common way of opening the Internet Information Service Manager for any version of the Windows operating system.

2. Click the main node in the Connections tree-view and then double-click the Server Certificates item under the IIS category.

3. The Server Certificates pane opens.

4. On the Actions pane (to the right), click Create Self-Signed Certificate.

54

5. The Create Self-Signed Certificate window opens.

6. Enter the name for a certificate in the Specify a friendly name for the certificate box and select Personal in the Select a certificate store for the new certificate drop-down list. Click OK.

7. The certificate is created.

Exporting Self-Signed Certificate

To export self-signed certificate, do the following:

1. In the Internet Information Service Manager, on the Server Certificates pane, select the generated certificate and click Export on the Actions pane or in the certificate right-click menu.

2. In the Export Certificate window, define the location and password for the certificate. Click OK.

55

3. The certificate is exported and can be added to the Trusted Root Certification Authorities.

Importing Trusted Certificate

To import a purchased certificate issued for the computer, do the following:





2. Click the main node in the Connections tree-view and then double-click the Server Certificates item under the IIS category.

3. The Server Certificates pane opens.

4. On the Actions pane (to the right), click Import.

5. In the Import Certificate window, click the Browse button to browse for the file of the purchased certificate and enter its password in the Password field.

56

6. Click OK.

7. The certificate is imported and displayed on the Server Certificates pane of the Internet Information Services (IIS) Manager.

Adding Certificate to Trusted Root Certification Authorities

Before adding the self-signed certificate to the Trusted Root Certification Authorities, it should be exported. For purchased certificates that were issued for your computer this procedure is not needed.

To add the certificate to the Trusted Root Certification Authorities, do the following:

1. Press Windows+R, type mmc in the Run text box and press Enter.



4. In the opened Add or Remove Snap-ins window, select Certificates > Add.

57

5. In the opened Certificates snap-in window, select Computer account and click Next.

6. In the opened Select Computer window, select Local computer: (the computer this console is running on) and click Finish.


58

8. In the Console window, expand the Certificates (Local computer) node.

9. In the Certificates (Local computer) tree-view, find the Trusted Root Certification Authorities node.

10. In the right-click menu of the Trusted Root Certification Authorities node, select All Tasks > Import.



59

13. On the File to Import page, click Browse to find the certificate to be imported and then click Next.

14. On the Private key protection page, enter the certificate password and then click Next.

60

15. On the Certificate Store page, click Next.

16. On the last page of the Certificate Import Wizard, click Finish. 17. In the confirmation message, click OK.

61

18. The certificate is imported and is displayed in the Console window in the Certificates node. Please note that the Issued To field contains the name of the computer, on which the Management Tool will be installed in the format that will be used when opening the Management Tool.

19. Close the Console window.

62

Setting HTTPS Binding for a Default Web-Site

To set HTTPS binding for a default web-site, do the following:





2. Expand the node with the name of the target computer in the central pane.

3. Expand the Sites node.

4. Select the Default Web Site.

NOTE: If there is no such site in the Internet Information Services (IIS) Manager of your computer, you can select any other site (the name of the site does not matter).

5. Click the Bindings navigation link on the right.

6. The Site Bindings window opens.

7. If there is no binding of HTTPS type in the Site Bindings window, click Add.

8. The Edit Site Binding window opens.

63

9. In the Type box, select https.

10. Next to the SSL certificate drop-down list, click Select.

11. The Select Certificate window opens, where the list of existing certificates is displayed.

12. In the Select Certificate window, select the certificate generated for the Management Tool and then click OK.

13. In the Add Site Binding window, click OK.

14. In the Site Bindings window, click Close.

15. Now the Internet Information Service is fully adjusted and you can start installing the Management Tool.

Installing/Uninstalling/Updating the Management Tool

Installing the Management Tool

To install the Management Tool, do the following:

1. Run the EkranSystem_ManagementTool.exe installation file.

2. On the Welcome page, click Next.

3. Carefully read the terms of the End-User License Agreement and click I Agree.

4. On the Connection Settings page, do the following and then click Next:

In the Server address box, enter the name or IP address of the computer on which the Server is installed.

64

In the URL address field enter the folder where the Management Tool will be located within IIS. This URL will be used when opening the Management Tool.

5. On the Choose Install Location page, enter the destination folder in the corresponding field or click Browse and in the Browse For Folder window, define the destination folder. Click Install.

6. The process of installation starts. Its progress is displayed on the Installing page.

7. After the end of the installation process, click Close to exit the wizard.

8. The Management Tool is displayed as an application of a default web site or any other site with https connection in the Internet Information Services (IIS) Manager.

65

9. Now you can open the Management Tool via your browser from the same computer or a remote one.

Adjusting Computer for Remote Access

If you want to open the Management Tool from the computer different from the one where the Management Tool is installed, you need to adjust Firewall settings to be able to access this computer.

If the users access Management Tool only from computers where it is installed, there is no need to configure Firewall.

To adjust Firewall on the computer where the Management Tool is installed, do the following:

1. In the Control Panel, select System and Security > Windows Firewall.


3. In the Windows Firewall with Advanced Security window, right click Inbound Rules and select New rule.

4. The New Inbound Rule Wizard opens.

5. On the Rule Type page, select Predefined and then select Secure World Wide Web Services (HTTPS) in the list. Click Next.

66

6. On the Predefined Rules page, select the World Wide Web Services (HTTPS Traffic-In) check box. Click Next.

67

7. On the Action page, select Allow the connection. Click Finish.

8. The new inbound rule for Firewall is created.

Updating Management Tool

To update the Management Tool, do the following:

1. Run the Management Tool installation file (EkranSystem_ManagementTool.exe) of a newer version.

2. On the The program is already installed page, select Update and then click Next.

3. Follow the installation instructions.

4. The Management Tool will be updated to the new version.

68

Uninstalling Management Tool

To uninstall the Management Tool, do the following:

1. Open the Programs and Features window of the Windows Control Panel.

2. In the Programs and Features window, find the Ekran System Management Tool application.

3. In the right-click menu of the application, select Uninstall.

4. The setup wizard opens and starts the uninstallation process.

5. When the process is completed, click Close, to exit the setup wizard.

6. The Management Tool is uninstalled and removed from the Internet Information Service (IIS).

Opening Management Tool

To open the Management Tool, do the following:

1. Open the browser and enter https://<name of the computer or IP on which the Management Tool is installed>/<URL address that has been specified during the Management Tool installation> in the address line.

For example, https://john-pc/MyMonitoringSystem.

NOTE: If the certificate is not added to the Trusted Root Certification Authorities or the name of the computer entered in the browser address doesn’t match the subject (Issued To field) of the certificate, your browser will display a certificate error when opening the Management Tool.

2. The Management Tool opens.

3. Enter the credentials of the existing user, added to the system:

For an internal user, enter login and password, defined during user creation. NOTE: When you open the Management Tool for the first time, enter the login admin and the password defined during the Server installation.

For a Windows user, enter the login in the form <domain name>\<user name> and Windows authentication password.

Please note, if the Active Directory user group has been added to the system, the users belonging to it can login using their Windows credentials.

4. The Management Tool Home page opens.

By default, only one user can log into the Management Tool at a time. If another user logs in using the same credentials from a different IP address, the first user will be forcibly logged out. You can configure concurrent session settings on the System Settings tab of the Configuration page.

Please note, the Management Tool may take a while to launch on first connection, since IIS is not used constantly and its processes are stopped and restarted on the connection.

69

If you encounter any problems when opening the Management tool, see the Troubleshooting chapter.

70

Licensing

General Licensing Information

To start receiving information from the Clients, you have to assign licenses to them. Four types of licenses are available:

License OS Required additional

configuration Number of recorded concurrent sessions

Workstation Client

Windows desktop OS, Windows desktop in Amazon or Azure Cloud, macOS

- 1

Infrastructure Server Client

Windows Server - 2

Terminal Server Client

Windows Server

installed Remote Desktop Services/Terminal Services or Citrix Server or Published App Server

or

deployed on Microsoft Azure or Amazon Web Services

unlimited

Linux -

Linux/UNIX Server Client

Linux, Oracle Solaris, IBM AIX

- unlimited

NOTE: Licenses of the workstation type cannot be assigned to a computer with Server OS.

Each Client can have only one license assigned. During the first connection to the Server, the license corresponding to the Client computer operating system is automatically assigned to a Client. If the license has not been automatically assigned, then you will have to assign the license to the Client manually.

71

About Serial Keys

When you log into the Management Tool for the first time, you can request a trial serial key which allows you to use 3 Workstation Client licenses, 3 Linux/UNIX Server Client licenses, and 1 Terminal Server Client license for 30 days. The trial serial key will be sent to the email address you specify in the request form.

To use the system permanently and with a greater number of licenses, you have to license it with purchased serial keys on a computer with the installed Server.

NOTE: After activation of any serial key, the embedded trial key expires.

Five types of serial keys are available:

Permanent serial keys: These keys allow you to use licenses they contain during the unlimited period of time.

Trial serial keys: These keys allow you to use the licenses they contain during 30 days (may vary) from activation and update the product during this period.

Update and Support serial keys: These keys allow you to extend your update and support period.

Enterprise serial keys: These keys allow you to get an access to the enterprise features of the Ekran System during the unlimited period of time.

Trial enterprise keys: These keys allow you to get access to the enterprise features of the Ekran System for 30 days (may vary) from activation and update the product during this period.

Each permanent, trial, and update and support serial key contains the following data:

Update & support period

Licenses for the Clients

The enterprise serial key does not contain any Client licenses and is active during the unlimited period of time. This key grants you an access to such valuable features of the Ekran System as Database Archiving, Advanced SIEM Integration, One-time Password, and High-Availability, Multi-Tenant Mode, Password Management, IP Filtering.

Once you have purchased serial keys, you can either activate serial keys online or add activated serial keys if you have no Internet connection on a computer with the installed Server. Contact your vendor for information on purchasing serial keys.

You need to belong to the Administrators user group of the built-in default tenant to activate serial keys.

Please note, after the activation, serial keys are bound to a specific computer and cannot be used on another computer.

72

About Update & Support Period

An Update & support period is a period that defines what updates can be applied to your copy of the product. Updates are defined by their release date. After the update & support period expires, you can still assign licenses to Clients, but you will be unable to update the System to versions released after the update & support period expiration date.

The update & support period end date is defined during the serial key activation (either via the Management Tool or on the vendor’s site). It is calculated using a serial key with the longest update & support period period.

Example: If you activate two keys, one with a 30 days update & support period period and one with a 12 months update & support period period, simultaneously, the update & support period end date will be set to 12 months from the activation date.

When a new serial key is being activated, the update & support period period is prolonged accordingly. Please note, if the current update & support period period is longer than the one of a key being activated, current update & support period period does not change. For example, if you activate a key with 12 months update & support period period after a key with 30 days update & support period period, the update & support period end date will be set to 12 months since the activation date. But if you activate a key with 30 days update & support period period after a key with 12 months update & support period period, the update & support period end date will not change.

If your update & support period expires, you can purchase a special serial key, which does not contain any licenses, but extends your update & support period period, or you can activate any other serial key.

Viewing License State

You can view the information on serial keys you have activated or added and license details on the Serial Key Management page in the Management Tool.

To view the license state, open the Management Tool and click Serial Key Management navigation link on the left.

The following information is displayed on the Serial Key Management page:

Update & support period end date: The update & support period end date is calculated basing on dates of serial keys activation and their subscription periods.

Workstation/Terminal Server/Infrastructure Server/Linux/UNIX Server Client licenses used: The number of licenses of the corresponding type used out of total number, which is summed up from all activated serial keys.

Not licensed Clients: The number of installed Clients with no licenses assigned.

Enterprise key: Displays whether the target Server computer has an activated enterprise serial key.

73

The following information is displayed in the Serial Keys Management grid:

o Key o Activation date o Type: Enterprise/Permanent/Update and Support/Trial/Trial Enterprise o State: activated/deactivated/expired o Details: expiration/deactivation date, type and number of licenses

Activating Serial Keys Online

To activate purchased serial keys online, do the following:

1. Make sure you have an active Internet connection on the computer with the installed Server.

2. Log in to the Management Tool as a user of the Administrators user group.

3. Click the Serial Key Management navigation link on the left.

4. On the Serial Keys tab, click Activate keys online.

5. In the Serial Key Activation window, enter serial keys to be activated separating them with semicolons or paragraphs and click Activate.

6. The activated keys will appear on the Serial Key Management page.

7. The number of available licenses and the update & support period end date change.

74

Adding Activated Serial Keys Offline

If you have no Internet connection on a computer on which the serial keys are to be activated, you can activate them on the license site and then add the activated serial keys offline. For more information, send an email to [email protected]

NOTE: Update and Support serial keys cannot be activated offline.

To activate serial keys offline on the license site, do the following:

1. On the computer with the installed Server, start the UniqueIdentifierGenerator.exe file, which you can download at https://www.ekransystem.com/sites/default/files/ekransystem/UniqueIdentifierGenerator.exe

2. The Unique Identifier Generator window opens.

3. Click Generate to generate a unique identifier for your computer.

4. When a unique identifier for your computer is generated, it will appear in a text box under the Unique Identifier group of options.

5. Copy the unique identifier from the text box to a text file on a removable drive.

6. Go to the license site.

7. Enter the generated unique identifier in the Unique Identifier box.

8. Copy and paste the purchased serial keys to the Serial Keys box separating them with paragraphs or spaces.

9. Enter the CAPTCHA text in a text box near the CAPTCHA image.

10. Click Activate.

11. The activatedKeys.txt file will be generated. Save the file on a removable drive.

12. Copy the file to the computer on which you will open the Management Tool.

NOTE: Please do not edit the generated file activatedKeys.txt.

To add activated serial keys in offline mode, do the following:



3. On the Serial Keys tab, click Add activated keys.

4. On the Activated Serial Key Adding page, click Choose File and navigate to the activatedKeys.txt file with activated serial keys.

5. Click Add.

6. The newly added serial keys appear on the Serial Key Management page.


8. If there are both licensed and unlicensed Clients in your network and you want to license the rest of Clients with a purchased key, you will have to assign the license to the remaining unlicensed Clients manually.

mailto:[email protected]

https://www.ekransystem.com/sites/default/files/ekransystem/UniqueIdentifierGenerator.exe

https://www.ekransystem.com/sites/default/files/ekransystem/UniqueIdentifierGenerator.exe

75

Configuring Proxy Server for Serial Keys Activation

When Ekran Server is installed on the machine that is a part of the local network, access to a larger-scale network such as the Internet may be performed via the Proxy Server. In this case, to avoid issues with the serial keys activation, you need to define the Proxy Server parameters in the Ekran Server configuration file.

To define the Proxy Server parameters in the Ekran Server configuration file, do the following:

1. On the machine with the installed Ekran Server, navigate to the folder with the EkranServer.exe.conf file. By default, C:\Program Files\Ekran System\Ekran System\Server.

2. Open the EkranServer.exe.conf file.

3. In the EkranServer.exe.conf file, in the BasicHttpBinding group, define the Proxy Server IP address and port, and then set the useDefaultWebProxy value to false.

Example:

// <basicHttpBinding>

<binding name="GetLicenseBinding" proxyAddress="http://10.0.0.000:10"

useDefaultWebProxy="false" />

<binding name="GUIDDeactivationBinding"

proxyAddress="http://10.0.0.000:10" useDefaultWebProxy="false" />

<binding name="GetLicensesByHwidBinding"


<binding name="GetTrialBinding" proxyAddress="http://10.0.0.000:10"

useDefaultWebProxy="false" />

<binding name="GetLicenseByGuidBinding"


<binding name="GetActualVersionBinding"


</basicHttpBinding>

4. Restart the Ekran System Server service. 5. Activate serial keys.

Deactivating Serial Keys

If for some reason you decide to discontinue using Ekran System, you can deactivate serial keys.

To deactivate a serial key, do the following:

1. Make sure you have an active Internet connection on the computer with the installed Server.



4. On the Serial Keys tab, select a serial key to be deactivated and click Deactivate selected.

NOTE: Expired serial keys can’t be deactivated.

76

5. In the confirmation message, click Deactivate.

6. The deactivated serial key is marked as Deactivated in the State column of the Serial Key Management page.


Client License Management

The Client license management is performed in the Management Tool by the user with the administrative Client installation and management and License management permissions.

You can assign a license to a Client or unassign it manually any time. The license can be assigned to an offline Client and it will be applied after the Client is online. If the Client is uninstalled, its license becomes free and can be assigned to another Client.

NOTE: When a trial serial key expires, the corresponding number of licenses is automatically unassigned from Clients.

Information about the number of used and free licenses of each type is displayed on the License Management page in the Management Tool.

To assign the license to one Client, do the following:

1. Log in to the Management Tool as a user with the administrative Client installation and management permission.

2. Click the Client Management navigation link on the left.

3. On the Clients page, select the needed Client from the list and then click Edit Client

4. On the Editing Client page, on the Properties tab, in the License box, select the type of license you want to assign to the Client.

5. Click Finish.

6. The license is assigned to the Client.

To manage the licenses for several Clients, do the following:

1. Log in to the Management Tool as a user with the administrative Client installation and management permission.

2. Сlick the Client Management navigation link on the left.

3. On the Clients page, click Manage Licenses.

4. On the License Management page, select the Clients, to which the licenses should be assigned. To find a specific Client, enter its name in the Contains box and click Apply Filters.

5. When the Clients are selected, click one of the following:

Assign recommended license: Assigns licenses to the selected Clients, automatically defining the type of license basing on the operating system of the Client computers. If the corresponding type of license is missing, a license of a higher type can be assigned.

77

Assign license of specific type: Assigns selected licenses of a specific type to the selected Clients.

Unassign license: Removes licenses from the selected Clients.

NOTE: To change the Client license type, you do not need to unassign the current license. This will be done automatically.

78

Windows Clients

About

Windows Client is a program that can be installed on the target computers to monitor the activity of their users. The monitored data is sent by the Windows Client to the Server and can be viewed in the Management Tool.

Depending upon their permissions, a user can install/uninstall Clients remotely, manage their configuration, and manage Client groups.

Monitoring via Windows Clients

The Windows Clients work as follows:

Each Windows Client starts automatically on computer start.

A licensed Windows Client monitors both local and remote sessions, depending on the license type:

- Workstation Client license (one local/remote session)

- Infrastructure license (up to two concurrent sessions)

- Terminal Server Client license (several concurrent sessions)

Every time the computer is restarted, the Windows Client starts recording user activity in a new session. The maximum duration of one session can be 24 hours. At 00:00 all live sessions are terminated. After their termination (their status changes from live to finished), new live sessions automatically start.

If a user works with several monitors, the Windows Client creates screenshots from all of them.

The Windows Client sends its monitoring results to the Server. On the Client side, the monitoring data is compressed before sending it to the Server.

To disable the data compression on the Client side, in the Windows Registry Editor, select the HKEY_LOCAL_MACHINE\SOFTWARE\EkranSystem\Client key and add a new value:

o Value type: DWORD o Value name: Compression o Value data: 0

If there is no connection with the Server, the Client stores the monitored data locally and automatically sends it to the Server when the connection is restored. The data is stored in the TempWrite.dat file in the Client installation folder. The Client can stop writing data to an offline cache in one of the following cases:

o The amount of data stored offline reaches the limit at which the Client must stop writing to offline cache: This limit is defined during remote Client installation or during generation of Client installation package.

o There is 500 MB of free space on the hard drive left. This parameter can be defined during remote Client installation or generation of Client installation package. The default value is 500 MB.

79

By default, the Windows Client records user activity as follows:

o Typing: every 10 seconds. o Mouse clicking: every 3 seconds. o Active window changing: every 3 seconds.

To change the frequency of user activity recording, in the Windows Registry Editor, select the HKEY_LOCAL_MACHINE\SOFTWARE\EkranSystem\Client key and modify a value data:

1. Typing

o Value name: SmartScrTimer 2. Mouse clicking

o Value name: SmartScrTimerMouse User activity recording triggers usually influence each other, though the average frequency of user activity recording is higher.

Installing Windows Clients

About

During the system deployment, remote installation of the Windows Clients is used. Remote installation of the Clients is performed via the Management Tool.

To ensure successful remote installation of the Windows Clients, you have to set up the network environment beforehand. If your computers belong to a workgroup but not a domain, you need to know the administrator account credentials for each remote computer. Otherwise knowing the domain administrator credentials is enough.

The Windows Clients can also be installed locally via the installation package generated in the Management Tool. Thus you can distribute the installation package of the Client with predefined settings among the network computers and install it. This kind of installation is useful when you experience difficulties with installing the Clients remotely via the Management Tool, or the computers in your network are part of a workgroup and do not have the same administrative account for each computer.

Setting up Environment for Remote Installation

Windows Client Installation Prerequisites

The majority of Windows Client installation/uninstallation issues are caused by incorrect system or network settings.

The following conditions have to be met for successful Windows Client installation:

The remote computer has to be online and accessible via network.

Shared folders have to be accessible on the remote computer. Simple file sharing (Sharing Wizard) has to be disabled if the computer is in a workgroup (for domain computers this requirement can be skipped).

80

You need to know the domain administrator or local administrator account credentials for the remote computer.

The Server and the Remote Procedure Call (RPC) system services have to be running on the remote computer.

Windows Vista and Windows XP Firewall has to be properly set up on the remote computer during the Clients remote installation.

In Windows 8, Windows 7, Windows Server 2012 and Windows Server 2008 Firewall, inbound connections have to be allowed in the Remote Service Management (RPC) rule for the remote computers and the File and Printer Sharing option has to be enabled (in this case it is not necessary to disable Windows Firewall).

Due to the new SHA-256 code signing, on Windows 7 SP1 and Windows Server 2008 R2 SP1, the Microsoft Security Advisory update 3033929 needs to be installed: https://technet.microsoft.com/en-us/library/security/3033929.aspx.


In Windows Firewall on the Server side, allow the Server executable to accept TCP connections via ports 9447 (for the connection between the Server and the Clients).

NOTE: These rules will be added to Windows Firewall automatically, if Windows Firewall is enabled during the Server installation.

Make sure the conditions mentioned above are met to avoid possible problems with Client remote installation.

Disabling Simple File Sharing in Windows XP

To disable simple file sharing in Windows XP, do the following:

1. Open My Computer.

2. Select Tools > Folder Options in the menu.

3. In the Folder Options window, select the View tab.

https://technet.microsoft.com/en-us/library/security/3033929.aspx

81

Clear the Use simple file sharing check box.

4. Click Apply and OK to close the window.

Disabling Sharing Wizard in Windows 8.1, Windows 8 and Windows 7

To disable the Sharing wizard in Windows 8.1, Windows 8, and Windows 7, do the following:

1. Open the Folder options window:

For Windows 8.1/Windows 8: Open the Control Panel and then select Appearance and Personalization.

For Windows 7: Open Computer and then select Organize > Folder and search options.

2. In the Folder Options window, select the View tab.

82

Clear the Use Sharing Wizard check box.

3. Click Apply and OK to close the window.

Checking System Services

To check that the Server and Remote Procedure Call (RPC) system services are running:

1. Right click Computer and select Manage. The Computer Management window opens.

2. Expand the Services and Applications node and select Services. To quickly access Windows Services, press Windows+R, type services.msc in the Run text box and press Enter.

3. Find the Server service and the Remote Procedure Call (RPC) service in the list of services. Make sure both services are running (their status is displayed as Started).

83

4. If one or both services are not running, start them manually. To start the service, right-click it and select Start from the context menu. The selected service is started.

Setting up Windows Vista, Windows XP, Windows Server 2003 Firewall

It is not necessary to disable the Firewall in Windows Vista, Windows XP, and Windows Server 2003. For successful remote installation of the Clients, you have to enable the File and Printer Sharing option.

To set up Windows Vista, Windows XP, and Windows Server 2003 Firewall, do the following:

1. Select Start > Control Panel > Windows Firewall.

84

2. In the Windows Firewall window, select the Exceptions tab.

3. On the Exceptions tab, select the File and Printer Sharing check box.

4. Click Ok.

85

Setting up Firewall for Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012, Windows Server 2008

It is not necessary to disable the Firewall in Windows 8.1, Windows 8, Windows 7, Windows Server 2012, and Windows Server 2008. For successful remote installation of the Clients, you have to allow inbound connections in the Remote Service Management (RPC) rule for the remote computers and enable the File and Printer Sharing option.

To enable inbound connections for the Remote Management Service (RPC), do the following:

1. Select Control Panel > System and Security > Windows Firewall.


3. In the Windows Firewall with Advanced Security window, click Inbound Rules and then double-click the Remote Service Management (RPC) rule in the rules list.

4. The Remote Service Management (RPC) Properties window opens.

5. In the General tab, select Enabled under General and click Allow the connection under Action.

86

6. In the Advanced tab, under Profiles, select the profile of the network used for connecting remote computers and the Server.

7. Click Apply and then OK to save the settings and close the Properties window.

8. Close the Windows Firewall window.

87

To enable the File and Printer Sharing option, do the following:

1. Select Control Panel > System and Security > Windows Firewall.

2. In the Windows Firewall window, click Allow an app or feature through Windows Firewall.

3. In the opened Allowed apps window, click Change settings.

4. Select the File and Printer Sharing option and then click OK.

88

Installing Windows Clients Remotely via the Management Tool

About

You can install the Windows Clients remotely via the Management Tool. This way of installation is very convenient if all computers in your network have the same domain administrator credentials.

Remote Windows Client Installation is performed by a user who has the Client installation and management permission in two steps:

1. Selecting computers on which Clients will be installed.

2. Defining installation parameters and installing the Clients.

Selecting Computers

To select the computers for Client installation, do the following:

1. Log in to the Management Tool as a user with the Client installation and management permission.

2. Click the Client Management navigation link to the left.

3. On the Clients page, click Install Clients.

4. The Computers without Clients page opens. On this page, you can see the computers, for which the previous installations failed.

5. Select how you would like to search for computers where the Windows Clients will be installed:

To select computers from the list of all computers in your network, click Deploy via network scan.

To select computers by IP range (IPv4 or IPv6 addresses), click Deploy via IP range.

To select computers by their names, click Deploy on specific computers.

6. In the Choose search results window:

Click Start new search to look for computers with defined parameters.

89

Click Previous search results to choose the computers found in the previous search. If you have not performed any searches yet, this button will be absent.

7. If you have selected the Deploy via IP range option, the Computers Scan page opens. In the From Address and To Address boxes, enter the IP range (either IPv4 or IPv6), for which the network should be scanned. To find only one computer, enter the same IP address in both boxes. Click Scan.

8. If you have selected the Deploy on specific computers option, the Adding Computers page opens. Enter the names of computers on which Windows Clients must be installed in the box Name and click Scan. Use semicolon to separate computer names.

Please note that you should enter the full name of the computer.

9. The scanning process starts. The list of found computers will be updated automatically. If it is not updated, click Refresh. To stop the scanning process, click Stop.

10. When the scanning process finishes, select check boxes next to the computers that you want to install the Clients on. Click Next.

90

11. The selected computers are added to the list on the Computers without Clients page.

12. If you want to remove some computers from this list, click Remove from list next to the selected computer.

Remote Windows Client Installation Process

When all computers for Windows Сlient installation are selected, you are ready to start installation. Please make sure that all selected computers are correctly adjusted.

To install the Windows Clients remotely, do the following:

1. On the Computers without Clients page, click Install.

2. On the Client Configuration page, define the name/IP of the Server, to which the Windows Clients will be connecting, and define the Client configuration for the Clients you are installing. Click Next.

NOTE: The Server IP address has to be static for Clients to connect to it successfully. Unique external IP addresses should be used for cloud-based Servers. You can add several names and IP addresses separated with comma or semicolon.

3. On the Installation credentials page, enter the credentials of a user with administrator permissions on the target computers for Client installation and then click Next.

If the computers are in a domain, enter the domain name and domain administrator account credentials.

If the computers are in workgroup, enter the credentials of a local administrator for target computers.

If you leave the Domain box empty, the entered credentials will be used as the credentials of a local user of a target computer and the Client will be installed under the <target PC name>\<user name> account.

NOTE: All workgroup computers must have the same administrator account credentials. Otherwise use installation via installation package method to deploy the Clients.

91

4. The installation process starts. The progress of installation will be updated automatically on the Client installation page. If it is not updated, click Refresh.

NOTE: If the connection with the Server fails, the Client will be not installed.

5. After the end of the installation, the installed Clients will appear on the Clients page in All Clients group. If the installation of some Clients fails, these computers will remain in the Computers without Clients list and you can click Retry to start the installation again.

Remote Installation from an Existing .INI File

If you already have an .ini file with defined settings generated in the Management Tool and saved to your computer, you can use it for installing the Windows Clients.

To install the Windows Clients remotely, using an existing .ini file do the following:

1. On the Computers without Clients page, click Install using existing .ini file.

2. On the INI file selection page, click Choose file to select the .ini file that will be used for configuration of new Clients.

Please note, if any parameter except RemoteHost is absent or not valid, its value will be set to default. The RemoteHost parameter is ignored, in this type of installation. The Client will connect to the Server to which the Management Tool is connected.

3. Once the .ini file is chosen, click Next and continue the installation the same way as when

installing the Clients remotely in a common way.

92

Installing Windows Clients Locally

About

You can install the Windows Clients locally using the Client installation file generated in the Management Tool. You have two options for downloading the Client installation file from the Management Tool:

Generate the installation package and set the Windows Client configuration during generation.

Use Client installation file (.exe) to install the Client with default parameters.

NOTE: Due to the new SHA-256 code signing, on Windows 7 SP1 and Windows Server 2008 R2 SP1, the Microsoft Security Advisory update 3033929 needs to be installed: https://technet.microsoft.com/en-us/library/security/3033929.aspx.

Windows Client Installation Package

The installation package consists of 2 components:

A signed EkranSystemClient.exe installation file.

An EkranSystemClient.ini text configuration file that contains the Windows Client installation parameters defining the Server, to which the Client will connect, and client configuration.

The table below lists all the Windows Client installation parameters. If any parameter except RemoteHost is absent or not valid, its value will be set to default.

Parameter Description Default Value

Server name/IP

RemoteHost A name or IP address of the computer on which the Server is installed. This parameter might contain several names and IP addresses separated with comma or semicolon.

NOTE: The Server IP address has to be static for Clients to connect to it successfully. Unique external IP addresses should be used for cloud-based Servers.

No

RemotePort The Ekran Server port via which the Clients connect to the Server. By default, it is set to 9447.

9447

Frequency settings for user activity recording

https://technet.microsoft.com/en-us/library/security/3033929.aspx

93


EnableActivity Recording user activity and creating screenshots when an active window is changed. If the value is 1, the option is enabled, if the value is 0 — disabled.

Enabled

EnableWndNmChanges

Recording user activity and creating screenshots when a window name is changed. If the value is 1, the option is enabled, if the value is 0 — disabled.

Enabled

EnableKBandMouse Recording user activity and creating screenshots on clicking and a key pressing. If the value is 1, the option is enabled, if the value is 0 — disabled.

Enabled

EnableTimer Recording user activity and creating screenshots with a certain time interval. If the value is 1, the option is enabled, if the value is 0 — disabled.

Disabled

Timer Time interval of user activity recording and screenshot creation in seconds. This period can’t be less than 30 seconds. This parameter is needed if the EnableTimer parameter is set.

30

Screenshot settings

EnableScreenshotCreation

Creating screenshots along with recording user activity. If the value is 1, the option is enabled, if the value is 0 – disabled.

Enabled

EnableCaptureActiveWindowOnly

Screenshots and recorded metadata will contain information on active window only. If the value is 1, the option is enabled, if the value is 0 – disabled.

Disabled

ColorDepth A colour scheme used for screenshots saving. 7— 4 bits (Grayscale), 8 — 8 bits, 16 — 24 bits.

7(4 bits (Grayscale))

Monitoring parameters

EnableClipboardMon

Logging of copy and paste operations. If the value is 1, the option is enabled, if the value is 0 — disabled.

Enabled

94


EnableSystemIdleDetect

The system idle event detection. If the value is 1, the system idle event detection is enabled, if the value is 0 — disabled.

Enabled

EnableIdleForceTimeout

Registering idle event when user is inactive. If the value is 1, the forced idle event timeout is enabled, if the value is 0- disabled.

Enabled

IdleForceTimeout Time interval when user is inactive. This period can’t be less than 5 minutes. By default, it is set to 15 minutes.

15

EnableSwiftUsernameMonitoring

Logging of user names used to log in to the SWIFT network. If the value is 1, the option is enabled, if the value is 0 - disabled.

NOTE: This parameter works only if EnableScreenshotCreation=1.

Disabled

EnableSoundCapturing

Recording the audio data. If the value is 1, the option is enabled, if the value is 0 - disabled.

Disabled

Keystroke monitoring parameters

EnableKeystrokes Logging of a keystroke. If the value is 1, the option is enabled, if the value is 0 — disabled.

Enabled

StartSessionOnKeyword

Starting monitoring on detecting a suspicious keyword in the keystrokes. If the value is 1, the option is enabled, if the value is 0 – disabled.

Disabled

Keywords A list of keywords, which being typed trigger the session start, separated with comma (e.g., drugs, medicine). Keywords are combined with OR logic; the LIKE operator is applied to the typed keywords (if drug is written, then drugstore will trigger the session start).

Empty

95


KeystrokeFiltering Keystroke filtering during monitoring. If the value is “disabled”, the keystroke filtering is disabled and all applications are monitored. If the value is “include”, the keystroke filtering is enabled in the Include mode, and only applications listed in KeystrokeFilteringAppNames or KeystrokeFilteringAppTitles are monitored. If the value is “exclude”, the keystroke filtering is enabled in the Exclude mode, and only applications not listed in KeystrokeFilteringAppNames or KeystrokeFilteringAppTitles are monitored.

Disabled

KeystrokeFilteringAppNames

The list of application names separated with comma (e.g., word.exe, skype.exe). Names are combined with OR logic; the LIKE operator is applied to names (e.g., if word.exe is written then winword.exe will be monitored).

Empty

KeystrokeFilteringAppTitles

The list of application titles separated with comma (e.g., Facebook, Google). Names are combined with OR logic; the LIKE operator is applied to titles (if Facebook is written, then Facebook-Messages will be monitored).

Empty

Log files

MonLogging Creation of monitoring logs on the Client computer. 0 - monitoring logs creation is disabled, 1 - monitoring text log will be created in the LogPath location.

Disabled

LogPath The path to the monitoring logs location. Using environment variables (%appdata%, %temp%, etc.) is allowed.

C:\ProgramData\Ekran System\MonLogs

EventLoggingEnabled

Logging of the Ekran System events, such as errors, warnings, and informational messages to the Windows Event Log. If the value is 1, the option is enabled, if the value is 0 – disabled.

Disabled

http://www.computerhope.com/jargon/e/envivari.htm#1

http://www.computerhope.com/jargon/e/envivari.htm#1

96


LogLevelThreshold A severity level of the log entries to be saved to the Windows event log. If the value is 0, only log entries at the Error level are written; if the value is 1 – log entries at Error and Warning levels are written; if the value is 2 – log entries at Error, Warning, and Information levels are written.

NOTE: This parameter works only if EventLoggingEnabled=1.

Disabled

URL Monitoring

URLMonitoring Monitoring of URL addresses. If the value is 1, the option is enabled, if the value is 0 — disabled.

Enabled

MonitorTopDomain Monitoring of top and second-level domain names. If the value is 1, the option is enabled, if the value is 0 — disabled.

NOTE: This parameter works only if URLMonitoring=1.

Enabled

Application Filtering

FilterState Application filtering during monitoring. If the value is “disabled”, the application filtering is disabled and all applications are monitored. If the value is “include”, the application filtering is enabled in the Include mode, and only applications listed in FilterAppName or FilterAppTitle are monitored. If the value is “exclude”, the application filtering is enabled in the Exclude mode, and only applications not listed in FilterAppName or FilterAppTitle are monitored.

Disabled

FilterAppName The list of application names separated with comma (e.g., word.exe, skype.exe). Names are combined with OR logic; the LIKE operator is applied to names (e.g., if word.exe is written then winword.exe will be monitored).

Empty

FilterAppTitle The list of application titles separated with comma (e.g., Facebook, Google). Names are combined with OR logic; the LIKE operator is

Empty

97


applied to titles (if Facebook is written, then Facebook-Messages will be monitored).

User Filtering

UserFilterState User filtering during monitoring. If the value is “disabled”, activity of all users is monitored. If the value is “include”, the user filtering is enabled in the Include mode, and only activity of users listed in UserFilterNames is monitored. If the value is “exclude”, the application filtering is enabled in the Exclude mode, and only activity of users not listed in UserFilterNames is monitored.

Disabled

UserFilterNames The list of user names separated with a semicolon (e.g., work\jane;work\john). Names are combined with OR logic. Using asterisk (*) as name/domain mask is allowed (e.g., *\administrator or *\admin*).

Empty

Additional options

EnableProtectedMode

The mode of Client work. If the value is 1, the protected mode is enabled, if the value is 0 — disabled.

Disabled

UpdateAutomatically

The Client update mode. If the value is 1, the automatic Client update is enabled, if the value is 0 – disabled and the Client requires manual update.

Enabled

DisplayClientIcon The Client tray icon displaying. If the value is 1, the Client tray icon is displayed, if the value is 0 – hidden.

Disabled

JumpServerMode The Jump Server mode. If the value is 1, the Jump Server mode is enabled, if the value is 0 – disabled.

Disabled

OfflineClientDetection

The notification about the Clients that are offline for more than specified time period. If the value is 1, the offline Client detection is enabled, if the value is 0 – disabled.

Disabled

98


OfflineClientDetectionInterval

The time period after which the Client will be detected as “lost”.

01d00h00m

OfflineClientNotificationEmail

The list of emails to which the notifications will be sent separated with semicolon (;).

Empty

Monitoring Time Filtering

MonitorTimeFilterState

Filtering the time of recording user activity. If the value is “disabled”, the user activity is recorded twenty-four seven. If the value is “include”, the user activity is recorded only on days defined in MonitoringDays and only during hours defined in MonitoringHours. If the value is “exclude”, the user activity is not recorded on days defined in MonitoringDays and during hours defined in MonitoringHours.

Disabled

MonitoringDays The days of the week during which the Client will or will not record users' activity. The days of the week are combined by OR logic.

Mon, Tue, Wed, Thu, Fri

MonitoringHours The hours during which the Client will or will not record users' activity.

8:00 – 18:00

IP Filtering

IPFilterState IP filtering during monitoring. If the value is “disabled”, remote sessions from all IP addresses are monitored. If the value is “includePublic”, the IP filtering is enabled in the Include mode, and only remote sessions from public IP addresses listed in IPFilterAddresses are monitored. If the value is “excludePublic”, the IP filtering is enabled in the Exclude mode, and only remote sessions from public IP addresses not listed in IPFilterAddresses are monitored. If the value is “includePrivate”, the IP filtering is enabled in the Include mode, and only remote sessions from private IP addresses listed in IPFilterAddresses are monitored. If the value is “excludePrivate”, the IP filtering is enabled in the Exclude mode, and only remote sessions from

Disabled

99


private IP addresses not listed in IPFilterAddresses are monitored.

IPFilterValue The list of IP addresses separated with a comma (e.g., 10.100.0.1,10.100.0.2). IP addresses are combined with OR logic. Using asterisk (*) as a mask is allowed (e.g., 10.200.*.*).

Empty

Authentication Options

NotificationMessage The message that is displayed on user login to the system.

Disabled

EnableNotificationComment

Additional option that requires the user to comment on the additional message displayed on login to the system. If the value is 1, the option is enabled, if the value is 0 — disabled.

Disabled

RequireTicketNumber

Additional option that requires the user to enter a valid ticket number of an integrated ticketing system to start working with the Client computer. If the value is 1, the option is enabled, if the value is 0 – disabled.

Disabled

Two-Factor and Secondary Authentication

EnableForcedAuth Additional identification of users that log in to the Client computer with server operation system. If the value is 1, the option is enabled, if the value is 0 — disabled.

Disabled

EnableOneTimePassword

Additional option that allows the user to request a one-time password to get a temporary access. If the value is 1, the option is enabled, if the value is 0 — disabled.

Disabled

EnableTwoFactorAuth

The option that requires the user to enter a time-based one-time password to log in. If the value is 1, the option is enabled, if the value is 0 — disabled.

Disabled

Advanced Options

100


InstallDir The path to the Client installation folder. Using environment variables (%appdata%, %temp%, etc.) is allowed.

%ProgramFiles%\Ekran System\Ekran System

LocalCacheLimit Size of the Client offline data cache in MB. 500

TenantKey A unique identifier used by Clients to detect the tenant they belong to.

<Key value>

Generating Windows Client Installation Package

To generate an installation package, do the following:


2. Click the Client Management navigation link on the left.


4. On the Computers without Clients page, click Download installation file.

5. On the Installation File Download page, select the Windows option in the drop-down list, and then click Windows Client installation package (.ini + .exe).

6. On the Generate Installation Package page, optionally, protect the installation package file from modification, define the name/IP of the Server, to which the Clients will connect, and define the client configuration to be applied to the Client and then click Next.

NOTE: The Server IP address has to be static for Clients to connect to it successfully. Unique external IP addresses should be used for cloud-based Servers.

7. The installation package is successfully created and downloaded to your computer. The download settings depend upon the settings of your browser.

Installing Windows Clients Locally with Custom Monitoring Parameters

To install the Windows Client locally using the installation package, do the following:

1. Copy the package (the EkranSystemClient.exe installation file and the EkranSystemClient.ini file) to the target computer.

2. Start the EkranSystemClient.exe installation file under the administrator account on the target computer.

3. After the package is deployed, the name of the required computer appears on the Client Management page in the Management Tool.

101

Downloading Windows Client Installation File (.exe)

To download the file for Windows Client installation, do the following:





5. On the Installation File Download page, select the Windows option in the drop-down list, and then click Windows Client Installation (.exe).

6. File downloading starts. The download settings depend upon the settings of your browser.

Installing Windows Clients Locally without .ini File

This type of installation allows you to install the Windows Clients with default configuration. This way you will need only an EkranSystemClient.exe file for Client installation. The EkranSystemClient.ini file with default parameters will be generated automatically.

To install the Windows Client locally using the installation package on the target computer:

1. Copy the downloaded EkranSystemClient.exe file to the target computer and do one of the following:

Start the EkranSystemClient.exe installation file under the administrator account on the target computer and then in the opened window, enter the name or IP address of the computer, on which the Server is installed and after that click Install.

In the Command Prompt (cmd.exe) started under administrator, enter EkranSystemClient.exe /ServerName=<Server Name>.

NOTE. If there is no connection with the server, installation will failed and error message will be displayed.

2. After the package is deployed, the installed Client appears in the list on the Client Management page in the Management Tool.

Installation via Third Party Software

If you want to install the Windows Client via a third-party tool (e.g. via System Center Configuration Manager, Active Directory, etc.), download the Client installation file and use the following command: EkranSystemClient.exe /ServerName=<Server Name>. The Client will be installed with a default configuration.

102

Installing Windows Client on Amazon WorkSpace

To install the Windows Client on Amazon Workspaces, do the following:

1. Download the Client installation file. 2. Connect to the Amazon WorkSpace and run the Client installation file (.exe). 3. Open the Windows Registry Editor and select the following key: HKEY_LOCAL_MACHINE\SOFTWARE\EkranSystem\Client 4. Select the AgentGUID value and click Delete in the context menu. 5. In the opened confirmation message, click Yes. NOTE: You will not be able to edit the registry values in the Protected Mode. 6. In the Amazon WorkSpaces management console, do the following:

Create an image of the Amazon WorkSpace with installed Windows Client.

Create a bundle from the newly created image.

Create new Amazon WorkSpaces from the newly created bundle. 7. All new Amazon WorkSpaces created from the bundle will automatically connect to the Ekran Server. NOTE: Make sure that Ekran Server is allowed to accept TCP connections via 9447 port for connection between Ekran Server and Ekran Clients.

Installing Windows Client Remotely Using PsExec

To install the Windows Client remotely using PsExec, do the following:

1. Download the PsTools package and unpack it.

2. Download the Client installation file.

3. Copy both the installation file and PsExec.exe to the same folder.

4. Run the Command Prompt (cmd.exe) as administrator.

5. Navigate to the folder with the the installation file and PsExec.exe by entering the following

command:

cd path/to/folder

6. Enter the following command to the command line:

psexec\\<target PC IP>-u<user name>-p< password>-c EkranSystemClient.exe

/servername=<server name/IP> and press Enter

The parameters have the following meaning:

<target_PC_IP>: The IP address of the computer on which Windows Client must be installed.

-u<user name>: The user name for login to the target computer. Please note, the user must have the administrative rights.

-p< password>: The password of the defined user. If you omit this parameter, you will be promted to enter the password after the command execution.

-c EkranSystemClient.exe: The Client installation file.

103

/servername=<server name/IP>: The name or IP address of the Ekran Server to which the Windows Client will be connected. Please note, if the Virtual Local Area Networks are different, it is necessary to ping the Ekran Server from the Client computer.

Cloning a Virtual Machine with Installed Client

Each Windows Client has its own unique ID, which it receives when it connects to the Server. When you prepare a virtual machine, which is to be monitored, for cloning, you need to remove the Client ID to ensure the proper Client connection to Server.

To remove the Client ID, do the following:

1. Make sure the Client is offline (does not have any connection with the Server).

2. Open the Windows Registry Editor.

3. In the Registry Editor window, select the following key: HKEY_LOCAL_MACHINE\SOFTWARE\EkranSystem\Client

4. Select the AgentGUID value and click Delete in the context menu.

5. In the opened confirmation message, click Yes.

NOTE: You will not be able to edit the registry values in the Protected Mode.

Each new Client with a new AgentGUID will be displayed as a separate instance in the Management Tool. To avoid displaying multiple Clients, you can run the script below to use the virtual machine name as AgentGUID. The script must be run on each system start.

taskkill /f /im ekran*

reg delete HKLM\SOFTWARE\EkranSystem\Client /v AgentGUID /f

reg delete /v PreviousState /f

del "c:\Program Files\Ekran System\Ekran System\Client\OfflinePool.dat" /q

reg add HKLM\SOFTWARE\EkranSystem\Client /v AgentGUID /t REG_SZ /d %COMPUTERNAME% /f

net start EkranClient

Unassigning License on Virtual Machine Shutdown

If Ekran Windows Client is used on virtual machines, in some cases the master image might be

used multiple times. To prevent wasting Client licenses when this occurs, you can either configure the Client license to be unassigned on the virtual machine shutdown or enable the

Golden Image mode for the Server.

104

Golden Image Mode for the Server

If the Golden Image mode is enabled for Ekran System Server, then the Server will automatically unassign a license from the Client when it becomes offline.

To enable Golden Image mode for the Server, do the following:

1. Stop the Server by clicking Stop in the context menu of the Server icon in the notification area or find the EkranServer service in the Task Manager and click Stop.

2. Open the Windows Registry Editor. 3. In the Registry Editor window, select the HKEY_LOCAL_MACHINE\SOFTWARE\EkranSystem

key. 4. Select Edit > New > DWORD (32-bit) Value and define the following:

Value name: GoldenImageMode

Value data: 1 5. Start the EkranServer service to continue working with the program.

Unassigning License via the Script on the Client Side

Before configuring a virtual machine image, you have to create a cmd file (for example, uninstall_client.cmd) containing the following command-line command:

call “<path to EkranClient.exe>” -uninstwl <uninstallation key>

For example (default installation parameters used):

call “C:\Progra~1\EkranS~1\EkranS~1\Client\EkranClient.exe” -uninstwl allowed

To configure the image of the virtual machine with the Client for the license to be unassigned

on shutdown:

1. Start your virtual machine image.

2. Configure the system and install the necessary software. 3. Install Ekran Client (via remote installation or locally) with the Protected Mode option

disabled. 4. Open the Windows Registry Editor.

5. In the Registry Editor window, select the following key: HKEY_LOCAL_MACHINE\SOFTWARE\EkranSystem\Client

6. Select the AgentGUID value and click Delete in the context menu. 7. In the opened confirmation message, click Yes. 8. Copy uninstall_client.cmd to the target folder on your virtual machine.

9. Run the Command Prompt (cmd.exe) as administrator. 10. Enter the gpedit command.

11. In the Local Group Policy Editor window, select Computer Configuration -> Windows Settings -> Scripts (Startup/Shutdown) -> Shutdown

12. In the Shutdown Properties window, click Add and select the uninstall_client.cmd file. 13. Click OK.

14. Create the master snapshot (gold image).

105

15. From now on, whenever you start the virtual machine using this image, the Client is

going to connect to the Server as a new Client and get a license assigned to it. Whenever the virtual machine is shutdown, the license is going to be unassigned from the Client.

NOTE: If you need the license to be unassigned on Logoff, you have to edit the Logoff script in a similar way in the Local Group Policy Editor (User Configuration -> Windows Settings ->

Scripts (Logon/Logoff) -> Logoff -> Properties).

Updating Windows Clients

About

Ekran System offers two update options for Windows Clients:

- automatic update - update of selected Clients via the Management Tool

The automatic Client update is performed when a Windows Client connects to the Server of a newer version. It is recommended to use the automatic Client update.

If you want to control the update of target Client machines yourself, you can disable the automatic update on the required Clients and update them via the Management Tool.

After the Windows Client is updated, you will still be able to access the monitored data received before its update.

NOTE: Windows Clients of very old versions might not be able to update. In this case, you need to re-install the Clients.

Windows Client Status after Server Update

If the Update Client automatically option is enabled for the Windows Client, it is updated automatically when it connects to the Server of a newer version.

If the Update Client automatically option is disabled for the Windows Client and it requires

manual update, it is displayed with the icon in the grid on the Clients page. Such Clients store the monitoring data locally. They restart sending monitoring data to the Server after update.

Updating Windows Clients Automatically

To update a Windows Client automatically, do the following:

1. Log in to the Management Tool as a user that has the Client configuration management permission.


3. On the Clients page, select the Client that needs to be updated automatically and click Edit Client.

106

4. On the Editing Client page, on the Properties tab, select the Update Client automatically option.

5. Click Finish.

6. The Client will be updated automatically when it connects to the Server of a newer version.

Updating Windows Client Manually

To update a selected Windows Client via the Management Tool, do the following:



3. On the Clients page, select the Client that needs to be updated and click Edit Client.

4. On the Editing Client page, on the Properties tab, clear the Update Client automatically option.

5. Click Finish to save the changes.

6. Update the Server.




10. On the Editing Client page, on the Properties tab, click Update.

11. On its next connection to the Server, the Client will be updated to a newer version.

Reconnecting Windows Clients to Another Server

If you want to reconnect the Windows Clients to another Server, start the remote installation from that Server. The Clients will be reconnected.

Please note that this way of reconnection can be used only for the Clients that work in the non-protected mode. If your Clients work in the protected mode, first disable the protected mode and then reconnect the Clients.

Uninstalling Windows Clients

About

Windows Clients can be uninstalled locally or remotely. It is possible to uninstall the Windows Client locally only with the help of the Uninstallation key.

After uninstallation, the Client stops sending its data to the Server, but its data is not deleted from the Server and the Client is displayed in the Management Tool. The Client status in the Management Tool becomes offline after uninstallation.

107

To delete the Client from the Server (with all its captured data) and from the Management Tool, follow the steps described in the Deleting the Client section.

Client Uninstallation Key

During the Server installation it is possible to define the Client Uninstallation key. By default, this key is allowed.

The Client Uninstallation key is used during the local Client uninstallation.

The user is able to view or change the Client Uninstallation key in the Management Tool.

If you change the Uninstallation key, the Client will receive it after connection to the Server. If the Client has not connected to the Server yet, then its Uninstallation key is allowed. If the Client has not connected to the Server after the Uninstallation key has been changed, the Client has to be uninstalled with the help of an old Uninstallation key.

To change the uninstallation key, do the following:

1. Log in to the Management Tool as a user with the Client uninstallation permission. 2. Click the Client Management navigation link to the left. 3. On the Clients page, click Edit Uninstallation Key. 4. On the Custom Uninstall Key page, enter the new uninstallation key in the New Key

field. 5. Re-enter the new uninstallation key in the Confirm Key field and then click Save. 6. The uninstallation key is changed.

Uninstalling Windows Clients Remotely

To uninstall a Windows Client, do the following:

1. Log in to the Management Tool as a user that has the Client uninstallation permission.


3. On the Clients page, select the Client you want to uninstall and click Edit Client.

4. On the Editing Client page on the Properties tab, click Uninstall Client.

NOTE: This option is not displayed if the Client is already uninstalled or you don’t have the Client uninstallation permission for it.

5. In the confirmation message, click Uninstall.

6. The Client is uninstalled.

To uninstall several Windows Clients, do the following:

1. Log in to the Management Tool as a user with the Client uninstallation permission.


3. On the Clients page, select Uninstall Clients.

4. On the Client Uninstallation page, click Add Clients to list.

108

5. The page with the Clients for which you have the Client uninstallation permission opens.

6. Select the Clients that you want to uninstall and click Next. To find a specific Client, enter its name or a part of its name in the Contains box and click Apply Filters.

7. Make sure you have added all necessary Clients to the uninstallation list and click Uninstall.

8. The selected Clients are uninstalled.

Uninstalling Windows Clients Locally

It is possible to uninstall the Windows Client locally only with the help of the Uninstallation key that is defined during the Server installation or in the Management Tool.

To uninstall the Windows Client locally, do the following:

1. Run the Command Prompt (cmd.exe) as administrator.

2. In the Command Prompt, go to the Client installation folder. By default, it is located here: C:\Program Files\Ekran System\Ekran System\

3. Enter the following command: UninstallClient.exe /key=<uninstallation key> /silent=true

4. Press Enter.

5. The Client is successfully uninstalled.

NOTE: If you do not add the /silent=true parameter to the uninstallation command, the confirmation message for uninstalling the Client will be displayed on the Client computer.

Viewing Windows Clients

Windows Clients are displayed in groups on the Client Management page. If the user has an administrative Client installation and management permission, he/she will see all Clients. In other case, the user will see only those Clients for which they have at least one Client permission.

The Client list contains the following information:

Client name

Status

Type

Domain

IPv4

IPv6

Description

Please note, if there are several network cards on the Client computer, only those IPv4 and IPv6 addresses used by Windows Clients will be displayed in the Management Tool.

109

You can filter Windows Clients in the following ways:

To sort Clients by the type of operating system, click the Type column header.

To find Windows Clients only, select the Hide Linux Clients and Hide macOS Clients options and click Apply Filters.

To find Clients by their host name or description, enter the name/description or a part of it in the Contains box and click Apply Filters.

To hide offline/online/uninstalled/licensed Clients, select the corresponding option in the Filtering pane and click Apply Filters.

On the Client Management page you have the following options: Add Client Group, Install Clients, Manage Licenses, Edit Uninstallation Key, Uninstall Clients, Delete Clients, Edit Client Configuration, and Edit Client Groups. The number of available options depends upon permissions.

110

macOS Clients

About

macOS Client is a program that can be installed on the target computers to monitor the activity of their users. The monitored data is sent to the Server and can be viewed via the Session Viewer in the Management Tool.

Monitoring via macOS Clients

The macOS Clients work as follows:

Each macOS Client starts automatically on computer start.

A macOS Client with a Workstation Client license monitors either one local or remote session.

Every time the computer is restarted, the macOS Client starts recording user activity in a new session. The maximum duration of one session can be 24 hours. At 00:00 all live sessions are terminated. After their termination (their status changes from Live to Finished), new live sessions automatically start.

The session status becomes Finished whenever: the computer is turned off, the user is logged out, or the macOS Client is disconnected from the Server. Whenever the macOS Client reconnects to the Server, the session status changes from Finished back to Live.

If a user works with several monitors, the macOS Client creates screenshots from all of them.

If there is no connection with the Server, the Client stores the monitored data locally (default folder is /Library/Application Support/Ekran) and automatically sends it to the Server when the connection is restored. It is recommended to have not less than 500MB of free space on the disk where the Client is installed to save data during the offline session.

The frequency of user activity recording of the macOS Client is the following:

o If the user is typing the text, the user activity is recorded every 10 seconds. o If the user clicks a mouse, the user activity is recorded every 3 seconds. o If the user changes an active window, the user activity is recorded every 3 seconds.

User activity recording triggers usually influence each other, though the average frequency of user activity recording is higher.

111

Installing macOS Client

About

You can install the macOS Clients locally using the Client installation file generated in the Management Tool.

Downloading macOS Client Installation File

To download the file for macOS Client installation, do the following:





5. On the Installation File Download page, select the MacOS option in the drop-down list, and then click MacOS x64 Client Installation (.tar.gz).


Installing macOS Clients

This type of installation allows you to install the macOS Clients locally using the downloaded EkranSystemmacOSClientx64.tar.gz package.

To install the macOS Client on the target computer with a macOS operating system from the command line:

1. Make sure that there is only one user logged in to the computer.

2. Copy the installation package to any folder.

3. Run the Terminal.

4. Navigate to the folder with the installation package by entering the following command:

cd path/to/folder

5. Unpack the installation package using the following command:

tar xvfz <installation package name>

6. Navigate to the unpacked EkranClient folder using the following command:

cd EkranClient

The EkranClient folder contains the install.sh script used to install the Client.

7. Run the macOS Client installation script specifying the Server name or Server IP address

and the port used for connection to the Server (9447 is recommended):

./install.sh <server_name/IP> <server_port>.

8. After the end of the installation, macOS Client will appear in the list on the Clients page in

the Management Tool.

112

Uninstalling macOS Clients

About

macOS Clients can be uninstalled locally or remotely.

After uninstallation, the Client stops sending its data to the Server, but its data is not deleted from the Server and the Client is displayed in the Management Tool. The Client status in the Management Tool becomes offline after uninstallation.

To delete the Client from the Server (with all its captured data) and from the Management

Tool, follow the steps described in the Deleting the Client section.

Uninstalling macOS Clients Remotely

To uninstall a macOS Client, do the following:

1. Log in to the Management Tool as a user that has the Client uninstallation permission.


3. On the Clients page, select the Client you want to uninstall and click Edit Client.

4. On the Editing Client page on the Properties tab, click Uninstall Client.

NOTE: This option is not displayed if the Client is already uninstalled or you do not have the Client uninstallation permission for it.

5. In the confirmation message, click Uninstall.

6. The Client is uninstalled.

To uninstall several macOS Clients, do the following:

1. Log in to the Management Tool as a user with the Client uninstallation permission.


3. On the Clients page, select Uninstall Clients.

4. On the Client Uninstallation page, click Add Clients to list.

5. The page with the Clients for which you have the Client uninstallation permission opens.

6. Select the Clients that you want to uninstall and click Next. To find a specific Client, enter its name or a part of its name in the Contains box and click Apply Filters.

7. Make sure you have added all necessary Clients to the uninstallation list and click Uninstall.

8. The selected Clients are uninstalled.

113

Uninstalling macOS Clients Locally

To uninstall the macOS Client from the command line, do the following:

1. Run the Terminal.

2. Do one of the following:

Navigate to the folder with the macOS Client by entering the command:

sudo cd /Library/Application\ Support/Ekran/EkranAgent.

The EkranAgent folder contains the uninstall.sh script used to uninstall the Client.

Run the uninstallation script by entering the following command: sudo ./uninstall.sh

and press Enter.

Or

Run the uninstallation script by entering the following command: sudo

/Library/Application\ Support/Ekran/EkranAgent/uninstall.sh and press Enter.

3. Enter the password of the superuser.

4. macOS Client is successfully uninstalled.

Viewing macOS Clients

The macOS Clients are displayed in the Management Tool in the Clients list along with the Windows and Linux Clients. If the users have an administrative Client installation and management permission, they will see all Clients. In other case, the users will see only those Clients for which they have at least one Client permission.


Client name

Status

Type

IPv4

IPv6

Description

The Domain column is empty for macOS Clients.

Please note, if there are several network cards on the Client computer, only the IPv4 and IPv6 addresses used by macOS Client will be displayed in the Management Tool.

You can filter macOS Clients in the following ways:


To find macOS Clients only, select Hide Windows Clients and Hide Linux Clients and click Apply Filters.



114

Linux Clients

About

The Linux Client is a program that can be installed on the target computers to monitor the activity of their users in the terminal. The monitored data is sent by the Linux Client to the Server and can be viewed via the Session Viewer in the Management Tool.

Optionally, during the Linux Client installation, you can enable monitoring of graphical interface for X Window System. It allows monitoring the user sessions started locally via the graphical interface.

Monitoring via Linux Clients

Remote SSH Session Monitoring

The Linux Client monitors the following actions: 1. User actions (input commands and responses from the terminal). 2. System calls. 3. Commands being executed in the running script.

Linux Clients start recording a new monitoring session each time the remote SSH terminal is opened.

There is no time limitation for a remote Linux Client session. The session status becomes Finished whenever the remote SSH terminal is closed or the Linux Client is disconnected from the Server. Whenever the Linux Client reconnects to the Server, the session status changes from Finished back to Live. Even if the license is unassigned from the Linux Client or the Linux Client process is killed, monitoring of started sessions continues until the remote SSH terminal is closed.

Local Sessions Monitoring (for X Window System)

Ekran System allows you to monitor the user session started locally via the graphical interface. The session includes recorded user activity (screenshots, application name, activity title, activity time).

The Linux Clients start monitoring after a user opens a new application window. The user activity is recorded every 10 seconds.

A new session is started every time the computer is restarted. The maximum duration of one local session can be 24 hours. At 00:00 all live sessions are terminated. After their termination (their status changes from live to finished), new live sessions automatically start.

115

Installing Linux Client

About

You can install the Linux Clients locally from the command line using the EkranSystemLinuxClient.tar.gz package, respectively:

EkranSystemLinuxClientx64.tar.gz for the 64-bit system

EkranSystemLinuxClientx86.tar.gz for the 32-bit system

Downloading Linux Client Installation File

To download the file for Linux Client installation, do the following:





5. On the Installation File Download page, select the Linux option in the drop-down list, and then click Linux x86 Client Installation (.tar.gz) or Linux x64 Client Installation (.tar.gz).

6. On the Generate Installation Package page, optionally, protect the installation package file from modification, and then define the name/IP of the Server to which the Clients will connect, and click Download.


Installing Linux Clients

This type of installation allows you to install the Linux Clients locally from the command line using the downloaded EkranSystemLinuxClient.tar.gz package.

On the operating systems with enabled Security-Enhanced Linux (for example, CentOS and RedHat), before installing the Client to the custom directory, you need to pre-configure the SELinux Policy first.

On the Solaris operating system, before installing the Client, you need to update bash first.

NOTE: For Linux, AIX, and Solaris distributions, GNU bash 3.2.25(1) or higher must be installed.

To install the Linux Client on the target computer with a Linux operating system from the command line:

1. Copy the installation package to any folder. Make sure you use the correct installation

package (x64 or x86).

116

2. Run the command-line terminal.

3. Navigate to the folder with the installation package by entering the following command:

$ cd path/to/folder

4. Unpack the installation package using the following command:

$ tar xvfz <installation package name>

5. Go to the unpacked EkranClient folder using the following command:

$ cd EkranClient

The EkranClient folder contains the install.sh script used to install the Client.

6. Run the Linux Client installation script specifying the Server name or Server IP address and

the port used for connection to the Server (9447 is recommended).

$ sudo ./install.sh <server name or Server IP address> <server port>

If the Multi-Tenant mode is enabled, specify the Tenant Key parameter and the Tenant Key

value of the required tenant.

$ sudo ./install.sh <server name or Server IP address> <server port> -tenantKey <tenant

key value>

Optionally, to enable the monitoring of graphical interface for X Window System, specify

the X11 parameter.

$ sudo ./install.sh <server name or Server IP address> <server port> -withX11

Examples:

$ sudo ./install.sh 10.100.4.182 9447 – The Client connects to the Server with IP

10.100.4.182 through the port 9447. The monitoring of graphical interface for X

Window System is not enabled.

$ sudo ./install.sh Server1 9447 -withX11 -tenantKey 90807A10-DF80-45EA-A7DE-

A550B55F548A - The Client connects to the Server with the name Server1 through

117

the port 9447. The monitoring of graphical interface for X Window System is

enabled. The Client belongs to the tenant with the specified tenant key.

7. After the Client is installed, it starts monitoring a new session with the next user login.

8. The installed Linux Client appears in the list on the Client Management page in the

Management Tool.

Updating Linux Clients

About

Ekran System offers two update options for Linux Clients:

- automatic update - update of selected Clients via the Management Tool

The automatic Client update is performed when a Linux Client connects to the Server of a newer version. It is recommended to use the automatic Client update.

If you want to control the update of target Client computers yourself, you can disable the automatic update on the required Clients and update them via the Management Tool.

After the Linux Client is updated, you will still be able to access the monitored data received before its update.

NOTE: Linux Clients of very old versions might not be able to update. In this case, you need to re-install the Clients.

Linux Client Status after Server Update

If the Update Client automatically option is enabled for the Linux Client, it is updated automatically when it connects to the Server of a newer version.

If the Update Client automatically option is disabled for the Linux Client and it requires manual

update, it is displayed with the icon in the grid on the Clients page. Such Clients store the monitoring data locally. They restart sending monitoring data to the Server after update.

Updating Linux Clients Automatically

To update a Linux Client automatically, do the following:



3. On the Clients page, select the Client that needs to be updated automatically and click Edit Client.

4. On the Editing Client page, on the Properties tab, select the Update Client automatically option.

5. Click Finish.

118

6. The Client will be updated automatically when it connects to the Server of a newer version.

Updating Linux Client Manually

To update a selected Linux Client via the Management Tool, do the following:




4. On the Editing Client page, on the Properties tab, clear the Update Client automatically option.

5. Click Finish to save the changes.

6. Update the Server.




10. On the Editing Client page, on the Properties tab, click Update Client.

11. On its next connection to the Server, the Client will be updated to a newer version.

Uninstalling Linux Clients

To uninstall the Linux Client from the command line, do the following:

1. Run the command line terminal.

2. Navigate to the folder with the Linux Client by entering the command:

$ cd /opt/.Ekran

3. The .Ekran folder contains the uninstall.sh script used to uninstall the Client.

4. Run the uninstallation script by entering the following command: $ sudo ./uninstall.sh

and press Enter.

5. Enter the password of the superuser.

6. Linux Client is successfully uninstalled.

Viewing Linux Clients

The Linux Clients are displayed in the Management Tool in the Clients list along with the Windows Clients. If the user has an administrative Client installation and management permission, they will see all Clients. In other case, the user will see only those Clients for which they have at least one Client permission.

119


Client name

Status

Type

IPv4

IPv6

Description

The Domain column is empty for Linux Clients.

Please note, if there are several network cards on the Client computer, only the IPv4 and IPv6 addresses used by Linux Clients will be displayed in the Management Tool.

You can filter Linux Clients in the following ways:


To find Linux Clients only, select Hide Windows Clients and Hide macOS Clients and click Apply Filters.



120

Tray Notifications Application

About

The Ekran System Tray Notifications is a component to the Ekran System application that allows you to receive notifications on alert events on Clients. Alerts are instances that notify the investigator of a specific activity (potentially harmful/forbidden actions) on the target computers with operating system on which Clients are installed and allow the investigator to respond to such activity quickly without performing searches.

The application is completely independent and can be used for receiving alert notifications on any computer.

Installing/Uninstalling the Tray Notifications Application

Installing the Tray Notifications Application

To install the Tray Notifications application, do the following:

1. Run the TrayNotifications_<version>.msi installation file.


3. Carefully read the terms of the End-User License Agreement and select I Accept the terms in the License Agreement check box and click Next.

4. On the Destination Folder page, enter the installation path for deploying. Click Next.

5. Click Install to confirm the installation.

6. The installation process starts.

7. After the end of the installation process, click Finish to exit the wizard.

121

Uninstalling the Tray Notifications Application

To uninstall the Tray Notifications application, do the following:

1. Run the TrayNotifications_<version>.msi installation file.

2. The setup wizard opens.


4. On the Change, repair, or remove installation page, select Remove.

5. Click Remove to confirm removing.

6. Wait for the uninstallation process to complete.

122

Troubleshooting

Quick Access to Log Files

Log files contain information that might be useful for administrator for detecting problems in the system if any.

You can either analyse the log files yourself to get more information on what is happening in your system or send them to the Support team to help them in detecting the source of problems in your system.

To download the Management Tool log file, click the Health Monitoring navigation link to the

left, click next to the System state tab and select Download MT log file in the menu. In the Save As window, browse to the location, where the log file should be saved, and click Save. The log file will be downloaded to your computer.

To download the Server log file, click the Health Monitoring navigation link to the left, click next to the System state tab and select Download Server log file. In the Save As window, browse to the location, where the log file should be saved, and click Save. The log file will be downloaded to your computer.

Please note that every time the Server restarts, a new log file is created. The latter log file can be downloaded via Management Tool, other log files can be viewed in C:\Program Files\Ekran System\Ekran System\ServerLogs.

To download the Client log file, click the Client Management navigation link to the left, and then click the Download Logs link for the required online Client. In the Save As window, browse to the location, where the log file should be saved, and click Save. The Client log file will be downloaded to your computer.

NOTE: The log files can be downloaded only for the online Clients.

To download the Client log files for the Client Group, click the Client Management navigation link to the left, and then click the Download All Logs link for the required Client Group. In the Save As window, browse to the location, where the log files should be saved, and click Save. The Client log files will be downloaded to your computer.

Database/Server

Database/Server Related Issues

Issue Cause/Solution

I cannot start the Server from the Server tray.

To start the Server, the Server tray service must be started under the administrator account.

There are too many records in the database.

Use the automatic or manual database cleanup feature to remove the old records from the database.

123


I have defined a new database, what happened to the old one?

The old database remains in place and is not changed.

I need to create a non-default SQL database user whose account will be used for running Ekran System Server.

Make sure you have granted the dbcreator and public role to the SQL Server user whose account will be used for running Ekran System Server. The User must change password at next login option must be cleared.

I need to transfer the data from an old database to a new one/I want to change the type of the database without losing data.

Unfortunately, the data cannot be transferred from one database to another.

I have transferred the SQL database to another computer.

Unfortunately, you can’t relocate the SQL database to another computer. Though you can move it to another location on the same PC with SQL means.

I have installed a new version of the Server and I want to use the old database.

If you have updated the Server, your old database will remain. If you have reinstalled the Server, you need to use a new database.

I have used the database cleanup feature, but the size of the database didn’t change.

The cleanup feature only removes data from the database, but doesn’t change the size reserved by it. To reduce the size of the database, click Shrink database on the Database Management tab on the Configuration page of the Management Tool.

I have accidentally removed the database from the MS SQL Server.

You need to define a new database. To do this, you need to reinstall the Server.

I cannot shrink the database: the Shrink database button is absent in the Management Tool on the Database Options tab.

Make sure you use the MS SQL Server database.

The shrinking cannot be performed if the cleanup procedure is in progress.

My anti-virus blocks the Server uninstallation/update.

Due to the uninstaller specifics some anti-viruses might detect it as a false positive during virus scan. In this case, it is recommended to disable your anti-virus during Server uninstallation/update.

124

Database/Server Related Error Messages

The following table provides the list of error messages related to databases and the Server and their causes and possible solutions. These messages may appear in the Management Tool, from the Server tray service, or during the installation of the Server.

Message Cause/Solution

If you get the following message in the Management Tool: "Connection with MS SQL database is lost. Please check that the database is accessible and try again."

The Server has lost the connection to the MS SQL Server. Please make sure that the MS SQL Server is running and it is online and accessible. To check that the MS SQL Server computer is accessible, enter the following command in the Windows command line: ping <name of the MS SQL Server computer>

The connection to the MS SQL Server is blocked by the Firewall. Try disabling the Firewall on the MS SQL Server side.

If you get the following message when trying to restart the Server service: “Not enough permissions to restart the Server.”

You can restart the Server service only under the administrator account.

If you get the following error while trying to clean up the database: “Error occurred while clearing the database. Please try again.”

The program encountered an unexpected error while trying to clear the database. Try clearing the database again.

Make sure the Server service is running.

There was a problem with connection to the database. Please make sure that the computer on which the database is installed is online and accessible. To check that the computer is accessible, enter the following command in the Windows command line: ping <name of the computer with installed database> If the problem still appears, please, send us logs (the Server Service file), which you can find in the Server sub-folder of the Ekran System installation folder.

If you get the following message from the Server tray service: "The Server connection with the database has been lost. Click to view logs."

The Server has lost the connection to the database. Please make sure that the computer on which the database is installed is online and accessible. To check that the

125


computer is accessible, enter the following command in the Windows command line: ping <name of the computer with installed database>

If the problem comes up again, please, send us logs (the Server Service file), which you can find in the Server sub-folder of the Ekran System installation folder.

If you get one of the following messages while trying to perform an action with database:

"An error occurred when shrinking database. Please try again."

"Error occurred while retrieving database info. Please try again."

The program encountered an unexpected error while trying to perform an action with database. Please try performing the action again.

There was a problem with connection to the database. Please make sure that the computer on which the database is installed is online and accessible. To check that the computer is accessible, enter the following command in the Windows command line: ping <name of the computer with installed database> If the problem still appears, please, send us logs (the Server Service file), which you can find in the Server sub-folder of the Ekran System installation folder.

Management Tool

Management Tool Related Issues


HTTP 500 Internal Server error is displayed when I try to connect to the Management Tool.

For Windows 7, follow these instructions:

1. Make sure that all the following check boxes are selected in the Windows Features window: Net Framework 3.5> Windows Communication Foundation HTTP Activation and Windows Communication Foundation non-HTTP Activation.

2. Run the Command Prompt (cmd.exe) as administrator:

126


Enter cd %windir%\Microsoft.NET\Framework\v4.0.xxxxx\aspnet_regiis.exe –iru (for 32 bit machine) or

%windir%\Microsoft.NET\Framework64\v4.0.xxxxx\aspnet_regiis.exe –iru (for 64 bit machine).

Example: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe –iru

3. Press Enter.

For Windows 10, 8.0 or 8.1, make sure that all the following options are selected in the Windows Features window: Net Framework 3.5> Windows Communication Foundation HTTP Activation and Windows Communication Foundation non-HTTP Activation.

The license management function is unavailable and I cannot assign licenses to Clients.

Make sure you have the administrative Client installation and management and License management permissions. In the Single-tenant mode, if you have this permission, but the license management function is still unavailable, then your copy of the program is not licensed. Please purchase serial keys and activate them online or activate them on your vendor’s license site and add them offline. In the Multi-tenant mode, if you are a user of a not default tenant, contact your technician to make sure you have the granted licenses.

I have no Internet connection on the computer with the installed Server and cannot activate serial keys.

You can activate the serial on the license site of your vendor and then add activated keys on the computer with the installed Server.

I have reinstalled/updated the Server and now there are no activated serial keys in it.

If you activated serial keys online, after you reinstall or update the Server, activated serial keys will be automatically synchronized. For this purpose, you need to have an active Internet connection during the first start of the Server.

If you used an offline activation (added activated serial keys), you need to add them in the Management Tool again.

127


The list of the domain computers is empty during the Client installation.

This problem can be caused by network or Windows issues (e.g. your computer cannot connect to the local network). If there are no network problems, try searching for computers via the Add computers by IP option. To install Clients in such a way, on the Computers without Clients page click Add computers by IP.

The list of the domain computers is not complete during the Client installation.

Ekran System obtains the list of domain computers using standard Windows methods, which do not always provide the full list of computers.

The target computer is out of the domain.

If DNS settings of your computer network allow, you can:

Search for computers using the Add computers by IP option. To install Clients in such a way, on the Computers without Clients page, click Add computers by IP.

Create an installation package and install a Client locally on the target computer. To generate an installation package, on the Computers without Clients page, click Download installation file and then select the type of the installation file you want to download. When the installation file is downloaded to your computer, you can start the installation process.

I have assigned a Terminal Server Client license instead of a Workstation Client license to the Client or I have assigned a license to the wrong Client.

Any license can be unassigned from a Client anytime.

There are some Clients that I did not install.

These may be old Clients that were installed earlier. You can uninstall them remotely via the Management Tool or locally on the Client computer.

I do not receive email notifications, although the parameters are correct.

Make sure you do not use Microsoft Exchange Server 2010, which is not supported.

Some of the Management Tool functions are unavailable.

Make sure that you have the corresponding permissions for these functions.

The Management Tool page is displayed incorrectly.

Try clearing the browser cache and cookies and sign in again.

Some of the navigation links are not displayed on the Management Tool page.

Try clearing the browser cache and cookies and sign in again.

128


I do not want to provide the user with access to all Clients.

By defining the Client permissions for the user in the Management Tool, you can define which Clients the user will have the access to.

I forgot the password of the internal user.

Contact the administrator and ask him to change the password.

I forgot the password of the tenant admin.

If the tenant admin is registered via email, please contact your technician and ask to resend an email with a new password.

If the tenant admin is a domain user, contact your system administrator.

The user is able to perform actions that are supposed to be prohibited for him/her (e.g. the user sees the Clients that he/she doesn’t have a permission for).

Check the groups which the user belongs to. He/she might have inherited some new permissions from these groups.

I haven’t received any reports or alert notifications by email.

Check the Spam folder.

Management Tool Error Messages

The following table provides the list of error messages that you may see while working in the Management Tool and their causes and possible solutions.


If you get the following message when trying to connect to the Management Tool: “Server is unavailable. Please contact administrator.”

The program encountered an unexpected error while trying to perform an action.

Please refresh the Management Tool.

Please make sure that the Server is running.

Please restart the Server and try again.

If the problem comes up again, please contact the support.

If you get the following message when trying to connect to the Management Tool: “Wrong password or username.”

Please make sure that your login and the password are correct. If you are logging in as a Windows user, don’t forget to write <domain name>\<login>.

129

Windows Client

Checking that the Client Is Installed

If the Client is successfully installed, it will appear on the Clients page of the Management Tool in the Data View pane.

If there is no Client in the Management Tool, you have to check whether the Client has been installed.

You can check if the Client is installed on the investigated computer in one of the following ways:

The EkranService.exe process is running.

The EkranClient and EkranController services are started.

There is a <system disk>:\Program Files\Ekran System\Ekran System\Client\ folder with executable files.

130

The HKEY_LOCAL_MACHINE\SOFTWARE\EkranSystem\Client key has the following values:

131

Clients Installation/Uninstallation Issues and Error Messages

The common reasons of issues with remote installation or uninstallation of Clients are the inadequate network configuration or system settings. If you are sure that a user has administrative rights on the Client computer, please check whether all of the conditions for successful installation are met.

Remote Installation Error Messages

During remote Client installation you can get the following error messages:

The user doesn’t have enough permission on the remote host.

The network name cannot be found.

Client machine must be rebooted before agent installation.

The host is unavailable now or turned off. Try again later.

Solving Remote Installation Issues

If you receive the following error message during the remote Client installation: “The User doesn’t have enough permission on the remote host”, as a rule, such issue may be caused by the following reasons:

There is no access to network shares.

DNS service is unavailable.

UAC is enabled (Windows 10/8/7/Vista).

Errors in Active Directory.

Issues with the Service Principle Name for the domain.

Two computers have the same computer name.

Issue: There is No Access to Network Shares

For successful remote installation, Ekran System needs to access the administrative shares on the target computers. At first, please check that you have access to administrative shares and if there is no access, enable it.

How to Check:

To check the administrative shares availability, do the following:

1. Open Windows Explorer.

2. In the address bar type \\<target_computer_IP/Name>\admin$ and press Enter.

132

3. When the Enter Network Password window opens, enter administrator credentials and click OK.

4. If the login credentials are accepted, the system folder opens (by default, C:\Windows).

If you get an error after performing step 2, try the following:

Open the Command Prompt (cmd.exe). Enter and execute the ping <target_computer_name or IP> command. Check the following:

1. If you do not get ping replies, network may be down. Check the network connection and try again.

2. If the network is up, but you do not get the ping reply, check the firewall on the remote computer. Disable the firewall on the target remote computer.

If you are receiving ping replies, but the administrative share is still unavailable, check that the Sharing Wizard or the Simple file sharing are disabled.

If you are receiving ping replies and the sharing options are good, but you still cannot access the administrative shares, check that the Server system service is running on the remote computer.

If you get a login error after performing step 3, try the following:

Make sure that the credentials you enter are correct. You have to enter the credentials of a domain administrator or a local administrator account on the remote computer.

Verify that the account password is not empty. Accounts with empty passwords cannot be used for remote connection.

Try typing the username as <domain_name>\<username> if the remote computer is in a domain, or <computer_name>\<username> if the PC belongs to a workgroup.

133

How to Fix:

To enable access to administrative shares, you need to enable the Local Account Token Filter Policy.

NOTE: This is a known Windows issue that might block remote application installation.

To enable Local Account Token Filter Policy:


2. In the Registry Editor window, select the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System.

3. Double-click the LocalAccountTokenFilterPolicy value, or select it and click Modify in the right-click menu.

4. In the Value data box, type 1, and then click OK.

5. Close the Windows Registry Editor.

If the LocalAccountTokenFilterPolicy registry value does not exist, follow these steps:

1. In the Windows Registry Editor in the Edit menu, click New, and then click DWORD Value.

2. Type LocalAccountTokenFilterPolicy and then press ENTER.

3. In the Value data box, type 1, and then click OK.

4. Close the Windows Registry Editor.

Issue: DNS Service is Unavailable

DNS service may be unavailable in your network. Try using the remote computer's IP address if you cannot access it by the name.

How to check:

To check the DNS Service availability, please execute the following command in the Command line (cmd.exe): ping <Computer name>.

If the command doesn’t respond, you have to enable the DNS Service.

How to fix:

To enable the DNS Service, please follow the instructions of the Windows Troubleshooting. In the Windows Server 2003, you can use the netdiag.exe tool.

Issue: UAC is Enabled (Windows 10/8/7/Vista)

If you access the administrative shares normally on the remote PC running Window Vista or Windows 7/8, but the Client remote installation fails, try disabling the User Account Control on the remote computer.

134

How to check:

By default, UAC is enabled in Windows 8/7/Vista.

How to fix:

To disable UAC, do the following:


2. Select the following key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System.

3. Double-click the EnableLUA value, or select it and click Modify in the right-click menu.

4. In the opened window, in the Value data filed, enter 0 and click OK.

5. Close the Windows Registry Editor window and then reboot the Client computer.

Issue: Active Directory Errors

Errors in Active Directory may be caused by the absence of the critical object that represents the trust relationship between the two Active Directory domains, which have a parent/child or tree root trust relationship.

How to Check:

Errors in Active Directory may occur when you have two or more replicated domains.

How to Fix:

To resolve errors in Active Directory, do the following:

1. Open the Active Directory Users > Computer Tools.

2. Open the System Container.

3. If there is no TDO object (trusted domain object) in the System container, please reset the trust between parent and child relationships between domain controllers of different domains with netdom.

Issue: Errors in Service Principal Name for the Domain

Issues with Service Principle Name (SPN) for the domain which is hosting the replica, can occur when it has not been propagated to the domain that contains the account which you use when you run the Dcpromo.exe file. This propagation may have been delayed because of replication latencies.

How to Fix:

To resolve issues with SPN, do one of the following:

Login with domain admin of the child domain.

Wait for replication to complete and use the root admin account.

135

Issue: Two Computers Have the Same Computer Name

The computer in the child domain has the same name as the computer in the parent domain.

How to Fix:

To resolve this issue, rename the computer in the parent domain which has the same name as the computer in the child domain.

If you get a message at the end of the remote Client installation: “The network name cannot be found”, it can be caused by the following reasons:

There is no access to the remote computer.

There is no access to Network Shares.

Issue: There is No Access to the Remote Computer

How to Check:

Please check that you have access to the remote computer. To do this, enter the following command in the Windows command line: ping <name of the remote computer>

If you do not receive any response, the access might be blocked by the remote computer Firewall.

How to Fix:

Try enabling the Local Account Token Filter Policy on the target computer.

Issue: There is No Access to Network Shares.

Please follow the instructions described above.

If you get a message at the end of the remote Client installation: “Client machine must be rebooted before agent installation”, please, reboot the computer because if the Client has been recently uninstalled, the Client computer must be rebooted first.

If you get a message after clicking Uninstall Ekran System Client: “The host is unavailable now or turned off. Try again later.”, this means that the Client may be offline or may not be able to connect to the Server. Please do one of the following:

Wait until the Client appears online.

If the Client does not appear online, uninstall it locally on the Client computer via the Windows command line by executing the following command: UninstallClient.exe /key=<uninstallation key>

By default, the UninstallClient.exe file is located here: C:\Program Files\Ekran System\Ekran System\.

136

Linux Client

Checking the State of the Linux Client

If the Linux Client is successfully installed, it will appear on the Clients page of the Management Tool in the Data View pane.

If there is no Linux Client in the Management Tool, you have to check whether the Client has been installed.

To check the status of the Linux Client, run the command-line terminal and enter the following command:

$ service Ekran status

Restarting Linux Client

To restart the Linux Client, use the following command in the terminal of the Client computer:

$ sudo service Ekran restart Alternatively, stop and restart the Linux Client using the following commands:

$ sudo service Ekran stop

$ sudo service Ekran start

ekran system v.6.14 deployment guide · prerequisites overview ... quick access to log files ......

Documents