Ehorus: Documentation: Advanced configurations

De eHorus Wiki
Saltar a: navegación, buscar

Go back to eHorus documentation index

1 Advanced Configurations

Any configuration change in the agent will require a reboot for it to have effect.

On Linux

/etc/init.d/ehorus_agent_daemon

On Windows

Control panel->Services->eHorus Agent-> restart

On Mac

launchctl start com.ehorus.ehorus_agent

The eHorus configuration file can be found under the following directory:

Linux

/etc/ehorus/ehorus_agent.conf

Mac

/usr/local/ehorus_agent/ehorus_agent.conf

Windows

C:\Program Files\ehorus_agent\ehorus_agent.conf

In order to modify this, you’ll need administrator privileges (root on Linux) and on Windows, by running a Shell/Notepad/Explorer as an administrator (right click->run as administrator).

1.1 Agent password

Optionally you can specify an agent connection password, which can also differ for each device. This password is specified –clearly— in the configuration file for the agent, with the following configuration token:

password xxxx

Once the agent is reset, the password will hash and be blurred so that it’s not visible in plain sight, being replaced by a string like the one below:

password db6f086273f8c93e57808dafef45eae6ae67ae639eb34b6a6

This behavior is normal and similar for other configuration tokens that can include sensitive information (user and password for proxy access, etc.).

1.2 Session Timeout

The eHorus WEB client will stay connected to the agent as long as the browser session remains open and connection is available. If you leave the session open and forget it (in a tab), the session connecting to that device will be blocked until it’s closed. In order to avoid this, the agent has an automatic idle disconnect action which is set to 5 minutes by default (after 5 minutes of being idle, the session will disconnect). This action can be changed by modifying the following configuration token:

session_timeout 300

1.3 Agent connectivity settings

The design goal for eHorus is for the agent to be accessible, wherever it may be, even in complex network topologies with faulty connections. For this there are some configuration tokens that regulate how the agent connects to the server. The agent periodically performs a test to see that the connection is still alive (even if it appears to be connected). This is known as keep alive. The timespan in seconds for how often this is performed can be modified if you believe it’ll improve the behavior of your agent in case of power outages, Internet drops, IP changes, etc.

ping_interval 300

Furthermore, you can modify the general network timeout, to raise or lower it according to your specific needs. The default setting is 5 seconds.

timeout 5

Lastly, there are two advanced parameters –which we do not recommend that you modify if you do not know exactly what you’re doing— that regulate the maximum payload size and the maximum block size. Both are specified in bytes.

max_payload_size 131072
block_size 16384

1.4 Use of proxies

The eHorus agent can connect to an eHorus server on the Internet by reaching out to port 18080. If you cannot connect here, optionally we can indicate the agent to try to connect using a proxy. For this it’s necessary to first edit the agent configuration file (in administrator mode) and then use the following configuration tokens, specifying the IP and the HTTP proxy port the agent is meant to use. The proxy must support the CONNECT method.

proxy_address 127.0.0.1 
proxy_port 3186

1.5 Sending information on the remote system

By default, the eHorus agent sends a small summary of the device on which it’s installed (HDD, RAM, CPU, OS version, etc.). If you do not wish to send this information for security reasons, it can be disabled with the following configuration token:

disable_info 1

1.6 Local connection against the agent

There is an optional way that allows the agent to listen in on a Local port/IP and allows incoming connections directly from the eHorus client. Despite the connection being local, the eHorus agent will always contact the eHorus server online to validate the client connection (user/password) and give it access, apart from the local agent authentication if there is one.

For this we must enable at least the following token on the agent configuration file:

eh_local_port 41118

The agent will try to find out which is the most appropriate IP to listen to. This will be the one to be “published” on the portal in order for the client to connect. Generally this will be the IP to which the server connects. If detected incorrectly or if you would rather do this manually, the following configuration token can be used:

eh_local_address 192.168.50.2

Bear in mind that when using this connection mode, a significant upgrade in speed can be noticed on the remote desktop and file transfer processes. On the other hand this will require the communication between the client and the remote client to be cleared of obstacles such as corporate or local firewalls. In the case of Windows or Linux systems, generally nowadays there are personal firewalls that prevent incoming external connections. We must disable these.

When an agent has the local connection mode enabled, we can access the device directly, using a modification of the interface that allows choosing between a remote or a direct connection:



Ehorus-modo-conexion-local.png


Due to safety restrictions on the Web Socket protocol, in order to perform a local connection, it must be done exclusively from a Chrome, Firefox or Microsoft Edge browser. This connection mode won’t offer support for either Safari or Internet Explorer.

1.7 SSL certificate connection

In order for the local connection to be safe and reliable, it’s possible to give the agent a valid SSL certificate file (from a CA that’s recognized by the browser we’ll be using. This has to be manually set up using the following configuration tokens:

eh_local_cert /full_path/to_public_ssl_cert
eh_local_key /full_path/to_private_ssl_key

Files must be in PEM format (OpenSSL)

1.8 Connecting without SSL certificates: Chrome

Right click and a dialogue will be prompted, where we will be informed that we’re trying to load unauthorized sequences. Click on “Load unsafe command sequences”.


Conexion-sin-ssl-chrome.png


1.9 Connecting without SSL certificates: Firefox

For Firefox you’ll need to modify the browser settings. In a new tab write: ‘about:config’. You’ll be prompted with a warning that this configuration is meant for advanced users. Click on “I’ll be careful, I promise!”


Conexion-sin-ssl-firefox.png


Search for the token named network.websocket.allowInsecureFromHTTPS. Right click and select Modify to change the value to true.

Conexion-sin-ssl-firefox-modificar.png


This change is permanent. There's no need to change the configuration in latter browser sessions.

1.10 Configuring file transfers

The agent allows specifying a directory from which files can be up/downloaded. This base directory is specified on the configuration file using the following configuration token:

storage_dir /home/ehorus

On Windows if you wish to access all system units, you can establish this parameter with the ‘/’ value.

1.11 Registry files

The agent can optionally store on a text registry (file log) the information on its status, incoming connections, issues, etc. For this you must activate the configuration token that the log file specifies:

log_file 'C:\ProgramData\ehorus_agent\ehorus_agent.log'

You can also modify how much information to dump onto said log file with the following configuration token:

verbose x

Where X can be a numeric value from 0-9. A value of 0 is minimum information, and 9 would be purging information (maximum amount of information). The agent doesn’t control the size of the log, which means that if it’s configured to retrieve the maximum amount of information, a very large log can be generated.

verbose 4

1.12 Agent re-provisioning

If for whatever reason the agent would need to be re provisioned, follow the steps numbered here:

1. Stop the agent 2. Delete the “eh_hash” and “eh_key” configuration tokens from the configuration file and restart the agent. It should be re provisioned with a different EKID.

1.13 Activate/deactivate delete file

The delete file feature can be deactivated (default status is active) from the remote file manager. Use the following configuration token:

enable_file_delete 0

1.14 Hide application icon

The launch application icon can be deactivated (default status is active). The application icon is visible in the notification area. Use the following configuration token:

hide_tray 1

The value 1 means the application won't launch and the icon is not visible. Default value is 0.

1.15 Desktop pop-up alerts and access requests

An optional feature allows the user to receive an external access alert and/or an external access confirmation request. This is to comply with legal regulations regarding remote computer access. Default status is deactivated, but it can be activated by configuration tokens.

The feature can be configured on an individual basis to regulate access to specific services (file transfer, process management, service management, remote shell, remote desktop, share access), and also to disable any of the same services.

The possible values for these configuration elements are: Request, Inform, Always or Disable.

Request: this value will ask the user to accept the incoming request, via a pop-up window. The window is on timeout, and access will be denied unless the request is actively accepted.

Inform: will only inform the user. If the user does not see it, or confirms that they have seen it, the remote user will gain access.

Always: the remote user can enter without the local user authorizing or receiving any pop-up. The default setting.

Disable: the service will be unavailable

access_terminal always|request|inform|disable
access_display always|request|inform|disable
access_processes always|request|inform|disable 
access_services always|request|inform|disable
access_files always|request|inform|disable 
access_share always|request|inform|disable

To configure the timeout on the pop-up window, go to:

access_dialog_timeout 30

The default value is 30 seconds and can't be more than the client's keepalive refresh rate (60 seconds).

To use the custom pop-ups system, load the following external DDL:

access_method 'C:\path\to\dll'

The "Information" screen should look like this:


Ehorus-popup-informacion.png


When the configuration "forces" the local user to confirm the connection, the following information is displayed:


Ehorus-popup-confirmar-conexion.png


This function is not enabled on Linux.

1.16 Dual screen

On Windows systems with multiple monitors the agent will automatically detect the principal screen. If you want to use another screen, or various at the same time, you have to modify the agent configuration file:

display_selected -1 | 0 | 1 | 2

Value -1: display all monitors. Value 0 (default): displays the principal screen. Value 1: displays screen #1 (usually the second one) Value 2 to ∞: displays screens 2, 3, 4, etc if there are any .