User Tools

Site Tools


remote_control50

Remote managment

The “Remote Management” module is located in the “Network” menu. The “Remote management” module helps to manage several ICS CUBE's from one ICS CUBE server. You can see it’s status on the main page of the module, the “Disable” button (ot “Enable” when the module is already disabled) and last log messages.

Settings.

The “Use remote management” flag allows you to set the use of remote management and make the appropriate settings. If this flag is set, it is proposed to select the ICS CUBE operating mode - “Server” or “Client”, as well as install the CA certificate and certificate from the “Certificates” module. If you select the “Server” mode, then this ICS CUBE will work as a server, and the rest of the ICS CUBE’s will connect to it. The flag “Automatically create a permitting rule” will also be available to create an allow rule in the set of firewall rules. If you select the “Client” mode, then this ICS CUBE will work as a client and it will be possible to manage it with ICS CUBE, which works as a server. In addition, the fields “ID” and “Server IP” for filling will become available. In the “ID” field, a unique customer identifier is automatically generated (but you can change it) in the format “node- * * * * * * * * *”, where '*' is a digit or any Latin letter (the case is case-sensitive). In the “Server IP” field, both the IP-address and the server domain name can be indicated.

In general, for the functioning of remote management, it is necessary to create three certificates for ICS CUBE with the “Server” mode: Root Certificate (CA Certificate), Certificate for Server, Certificate for Client. Further, the creation of certificates is considered through the “Certificates” module in ICS CUBE.

When creating the Root Certificate, its type must be “CA”.

When creating the Certificate for the Server, either the system’s domain name or the external IP-address of the ICS CUBE with the Server mode should be indicated in the “Host Name or Address” field, the certificate type should be “Final Certificate”, it is recommended to select “VPN server“.

When creating the Certificate for the Client, the type of certificate “Final Certificate”, and it is recommended to select “VPN Client” as the template.

Accordingly, on ICS CUBE with the “Server” mode there are certificates: CA Certificate and Certificate for the Server. ICS CUBE with the “Client” mode there are certificates: CA Certificate and Certificate for the Client (it is recommended to export the certificates in PKCS 12 format). Due to the peculiarity of the TLS implementation, there are two modes of interaction between the client and server:

  1. Partially protected. If on ICS CUBE with the “Client” mode in Remote management, in the “Settings” tab, in the “Server IPr” field, specify the IP-address, then the channel protection will be one-way. ICS CUBE with the “Client” mode will not verify the certificate of ICS CUBE with the “Server” mode, while the “Server” will check the “Client” certificate. This feature provides access to the Man-In-The-Middle (MITM) attack, in which an attacker can replace the “Server” certificate and intercept traffic.
  2. Full protection. To ensure full protection, you must:
    • When creating the Certificate for Server, specify the HOST_NAME in the “Host Name or Address” field.
    • On ICS CUBE with the “Client” mode, create a DNS-zone for the HOSTNAME, which will refer to the IP-address of the “Server”.
    • On ICS CUBE with the “Client” mode in Remote management, in the “Settings” tab, in the “Server IP” field, indicate HOST_NAME. With this interaction of the “Client” with the “Server”, both parties verify the transmitted certificates, and a MITM attack is impossible.

Nodes.

In ICS CUBE with the “Server” mode, this tab contains a list of all ICS CUBE’s with the “Client” mode that were connected to the remote management. The list is presented in the form of a table with columns:

  • Name. Set by default from the ID column. It is a modifiable field.
  • ID. It contains a unique identifier specified on the ICS CUBE with the “Client” mode.
  • IP-address. Contains the IP-address of ICS CUBE with the “Client” mode.
  • Status. Contains the value connected / not connected.
  • Description. By default, an empty field is intended for entering notes from the system Administrator.

The “Edit” button allows you to edit the available values ​​in the columns of the table. The “Delete” button deletes information about the connected ICS CUBE to the remote management. To go to the remote ICS CUBE GUI, double-click on its entry in the table.

Log.

The “Log” tab displays a summary of all system messages of the module with the date and time. Log is divided into pages, you can navigate between pages using “Next” and “Previous” buttons, or enter the page number to proceed to it directly.

Log entries are marked with color depending on its type. Normal messages are while, system statuses (Enabling/Disabling) are green, errors are red.

In the top right corner there is a search line. You can use it to look for specific log entries. Log always shows events of the current date.

If necessary, you can save log in a file, using the “Export” button or delete the log data for a certain period by clicking the “Delete logs” button.

remote_control50.txt · Last modified: 2020/02/14 11:42 by zog