Ehorus: Documentation: Advanced configurations
- 1 Advanced Configurations
- 1.1 Agent password
- 1.2 Session Timeout
- 1.3 Agent connectivity settings
- 1.4 Use of proxies
- 1.5 Sending information on the remote system
- 1.6 Local connection against the agent
- 1.7 SSL certificate connection
- 1.8 Connecting without SSL certificates: Chrome
- 1.9 Connecting without SSL certificates: Firefox
- 1.10 Configuring file transfers
- 1.11 Registry files
- 1.12 Agent re-provisioning
- 1.13 Activate/deactivate delete file
- 1.14 Hide application icon
- 1.15 Desktop pop-up alerts and access requests
- 1.16 Dual screen
1 Advanced Configurations
Any configuration change in the agent will require a reboot for it to have effect.
Control panel->Services->eHorus Agent-> restart
launchctl start com.ehorus.ehorus_agent
The eHorus configuration file can be found under the following directory:
In order to modify this, you’ll need administrator privileges (root on Linux) and on Windows, by running a Shell/Notepad/Explorer as an administrator (right click->run as administrator).
1.1 Agent password
Optionally you can specify an agent connection password, which can also differ for each device. This password is specified –clearly— in the configuration file for the agent, with the following configuration token:
Once the agent is reset, the password will hash and be blurred so that it’s not visible in plain sight, being replaced by a string like the one below:
This behavior is normal and similar for other configuration tokens that can include sensitive information (user and password for proxy access, etc.).
1.2 Session Timeout
The eHorus WEB client will stay connected to the agent as long as the browser session remains open and connection is available. If you leave the session open and forget it (in a tab), the session connecting to that device will be blocked until it’s closed. In order to avoid this, the agent has an automatic idle disconnect action which is set to 5 minutes by default (after 5 minutes of being idle, the session will disconnect). This action can be changed by modifying the following configuration token:
1.3 Agent connectivity settings
The design goal for eHorus is for the agent to be accessible, wherever it may be, even in complex network topologies with faulty connections. For this there are some configuration tokens that regulate how the agent connects to the server. The agent periodically performs a test to see that the connection is still alive (even if it appears to be connected). This is known as keep alive. The timespan in seconds for how often this is performed can be modified if you believe it’ll improve the behavior of your agent in case of power outages, Internet drops, IP changes, etc.
Furthermore, you can modify the general network timeout, to raise or lower it according to your specific needs. The default setting is 5 seconds.
Lastly, there are two advanced parameters –which we do not recommend that you modify if you do not know exactly what you’re doing— that regulate the maximum payload size and the maximum block size. Both are specified in bytes.
max_payload_size 131072 block_size 16384
1.4 Use of proxies
The eHorus agent can connect to an eHorus server on the Internet by reaching out to port 18080. If you cannot connect here, optionally we can indicate the agent to try to connect using a proxy. For this it’s necessary to first edit the agent configuration file (in administrator mode) and then use the following configuration tokens, specifying the IP and the HTTP proxy port the agent is meant to use. The proxy must support the CONNECT method.
proxy_address 127.0.0.1 proxy_port 3186
1.5 Sending information on the remote system
By default, the eHorus agent sends a small summary of the device on which it’s installed (HDD, RAM, CPU, OS version, etc.). If you do not wish to send this information for security reasons, it can be disabled with the following configuration token:
1.6 Local connection against the agent
There is an optional way that allows the agent to listen in on a Local port/IP and allows incoming connections directly from the eHorus client. Despite the connection being local, the eHorus agent will always contact the eHorus server online to validate the client connection (user/password) and give it access, apart from the local agent authentication if there is one.
For this we must enable at least the following token on the agent configuration file:
The agent will try to find out which is the most appropriate IP to listen to. This will be the one to be “published” on the portal in order for the client to connect. Generally this will be the IP to which the server connects. If detected incorrectly or if you would rather do this manually, the following configuration token can be used:
Bear in mind that when using this connection mode, a significant upgrade in speed can be noticed on the remote desktop and file transfer processes. On the other hand this will require the communication between the client and the remote client to be cleared of obstacles such as corporate or local firewalls. In the case of Windows or Linux systems, generally nowadays there are personal firewalls that prevent incoming external connections. We must disable these.
When an agent has the local connection mode enabled, we can access the device directly, using a modification of the interface that allows choosing between a remote or a direct connection:
Due to safety restrictions on the Web Socket protocol, in order to perform a local connection, it must be done exclusively from a Chrome, Firefox or Microsoft Edge browser. This connection mode won’t offer support for either Safari or Internet Explorer.
1.7 SSL certificate connection
In order for the local connection to be safe and reliable, it’s possible to give the agent a valid SSL certificate file (from a CA that’s recognized by the browser we’ll be using. This has to be manually set up using the following configuration tokens:
eh_local_cert /full_path/to_public_ssl_cert eh_local_key /full_path/to_private_ssl_key
Files must be in PEM format (OpenSSL)
1.8 Connecting without SSL certificates: Chrome
Right click and a dialogue will be prompted, where we will be informed that we’re trying to load unauthorized sequences. Click on “Load unsafe command sequences”.
1.9 Connecting without SSL certificates: Firefox
For Firefox you’ll need to modify the browser settings. In a new tab write: ‘about:config’. You’ll be prompted with a warning that this configuration is meant for advanced users. Click on “I’ll be careful, I promise!”
Search for the token named network.websocket.allowInsecureFromHTTPS. Right click and select Modify to change the value to true.
This change is permanent. There's no need to change the configuration in latter browser sessions.
1.10 Configuring file transfers
The agent allows specifying a directory from which files can be up/downloaded. This base directory is specified on the configuration file using the following configuration token:
On Windows if you wish to access all system units, you can establish this parameter with the ‘/’ value.
1.11 Registry files
The agent can optionally store on a text registry (file log) the information on its status, incoming connections, issues, etc. For this you must activate the configuration token that the log file specifies:
You can also modify how much information to dump onto said log file with the following configuration token:
Where X can be a numeric value from 0-9. A value of 0 is minimum information, and 9 would be purging information (maximum amount of information). The agent doesn’t control the size of the log, which means that if it’s configured to retrieve the maximum amount of information, a very large log can be generated.
1.12 Agent re-provisioning
If for whatever reason the agent would need to be re provisioned, follow the steps numbered here:
1. Stop the agent 2. Delete the “eh_hash” and “eh_key” configuration tokens from the configuration file and restart the agent. It should be re provisioned with a different EKID.
1.13 Activate/deactivate delete file
The delete file feature can be deactivated (default status is active) from the remote file manager. Use the following configuration token:
1.14 Hide application icon
The launch application icon can be deactivated (default status is active). The application icon is visible in the notification area. Use the following configuration token:
The value 1 means the application won't launch and the icon is not visible. Default value is 0.
1.15 Desktop pop-up alerts and access requests
An optional feature allows the user to receive an external access alert and/or an external access confirmation request. This is to comply with legal regulations regarding remote computer access. Default status is deactivated, but it can be activated by configuration tokens.
The feature can be configured on an individual basis to regulate access to specific services (file transfer, process management, service management, remote shell, remote desktop, share access), and also to disable any of the same services.
The possible values for these configuration elements are: Request, Inform, Always or Disable.
Request: this value will ask the user to accept the incoming request, via a pop-up window. The window is on timeout, and access will be denied unless the request is actively accepted.
Inform: will only inform the user. If the user does not see it, or confirms that they have seen it, the remote user will gain access.
Always: the remote user can enter without the local user authorizing or receiving any pop-up. The default setting.
Disable: the service will be unavailable
access_terminal always|request|inform|disable access_display always|request|inform|disable access_processes always|request|inform|disable access_services always|request|inform|disable access_files always|request|inform|disable access_share always|request|inform|disable
To configure the timeout on the pop-up window, go to:
The default value is 30 seconds and can't be more than the client's keepalive refresh rate (60 seconds).
To use the custom pop-ups system, load the following external DDL:
The "Information" screen should look like this:
When the configuration "forces" the local user to confirm the connection, the following information is displayed:
This function is not enabled on Linux.
1.16 Dual screen
On Windows systems with multiple monitors the agent will automatically detect the principal screen. If you want to use another screen, or various at the same time, you have to modify the agent configuration file:
display_selected -1 | 0 | 1 | 2
Value -1: display all monitors. Value 0 (default): displays the principal screen. Value 1: displays screen #1 (usually the second one) Value 2 to ∞: displays screens 2, 3, 4, etc if there are any .