User Tools

Site Tools



This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
remote_control50 [2019/06/06 11:42]
remote_control50 [2020/02/14 11:42] (current)
Line 1: Line 1:
 ====== Remote managment ====== ====== Remote managment ======
-{{remote_control1.png}}+The “Remote Management” module is located in the “Network” menu. The “Remote management” module helps to manage several ICS CUBE's from one ICS CUBE server. You can see it’s status on the main page of the module, the “Disable” button (ot “Enable” when the module is already disabled) and last log messages.
-The “remote control” module helps to manage several ICS CUBE's from one ICS CUBE server+{{:​remote_control1.png?650|}}
-Server, from which you organize centralized control is named “Head node”, server, that is managed remotely, is named “Child node”.+===== Settings=====
-Let’s go through the settings with an example+{{:​remote_control2.png?|}}
-{{remote_control2.png}}+The “Use remote management” flag allows you to set the use of remote management and make the appropriate settings. If this flag is set, it is proposed to select the ICS CUBE operating mode - “Server” or “Client”,​ as well as install the CA certificate and certificate from the “Certificates” module. If you select the "​Server"​ mode, then this ICS CUBE will work as a server, and the rest of the ICS CUBE’s will connect to it. The flag “Automatically create a permitting rule” will also be available to create an allow rule in the set of firewall rules. If you select the "​Client"​ mode, then this ICS CUBE will work as a client and it will be possible to manage it with ICS CUBE, which works as a server. In addition, the fields “ID” and “Server IP” for filling will become available. In the “ID” field, a unique customer identifier is automatically generated (but you can change it) in the format “node- * * * * * * * * *”, where '​*'​ is a digit or any Latin letter (the case is case-sensitive). In the “Server IP” field, both the IP-address and the server domain name can be indicated.
-For organize this kind of schema you need to set up ICS CUBE with address to be the head nodeYou can set it up in Network – Remote management – Use as… - Head node - Save+In general, for the functioning ​of remote management, it is necessary ​to create three certificates for ICS CUBE with the “Server” mode: Root Certificate (CA Certificate),​ Certificate for Server, Certificate for ClientFurther, the creation of certificates is considered through the “Certificates” module ​in ICS CUBE.
-{{remote_control3.png}}+When creating the Root Certificate,​ its type must be “CA”.
-Servers ​with the addresses and should be set up in child node mode: Network – Remote management ​– Use as… Child node – in the “Head node IP” enter” - Save+When creating the Certificate for the Server, either the system’s domain name or the external IP-address of the ICS CUBE with the Server mode should be indicated in the “Host Name or Address” field, the certificate type should be “Final Certificate”,​ it is recommended to select “VPN server"​. 
 +When creating the Certificate for the Client, the type of certificate “Final Certificate”,​ and it is recommended to select “VPN Client” as the template. 
 +Accordingly,​ on ICS CUBE with the “Server” mode there are certificates:​ CA Certificate and Certificate for the ServerICS CUBE with the “Client” mode there are certificates:​ CA Certificate ​and Certificate for the Client (it is recommended to export the certificates in PKCS 12 format)Due to the peculiarity of the TLS implementation,​ there are two modes of interaction between the client and server: 
 +  - Partially protectedIf on ICS CUBE with the “Client” ​mode in Remote management, in the “Settings” tab, in the “Server IPr” field, specify the IP-address, then the channel protection will be one-way. ICS CUBE with the “Client” mode will not verify the certificate of ICS CUBE with the “Server” mode, while the “Server” will check the “Client” certificate. This feature provides access to the Man-In-The-Middle (MITM) attack, ​in which an attacker can replace ​the “Server” certificate and intercept traffic. 
 +  - Full protection. To ensure full protection, you must: 
 +    * When creating the Certificate for Server, specify the HOST_NAME in the "Host Name or Address"​ field. 
 +    * On ICS CUBE with the “Client” mode, create a DNS-zone for the HOSTNAME, which will refer to the IP-address of the “Server
 +    * On ICS CUBE with the "​Client"​ mode in Remote management, in the "​Settings"​ tab, in the "​Server IP" field, indicate HOST_NAME. With this interaction of the Client” with the “Server”,​ both parties verify the transmitted certificates,​ and a MITM attack is impossible. 
 +===== Nodes===== 
 +In ICS CUBE with the “Server” mode, this tab contains a list of all ICS CUBE’s with the “Client” mode that were connected to the remote management. The list is presented in the form of a table with columns: 
 +  * Name. Set by default from the ID column. It is a modifiable field.  
 +  * ID. It contains a unique identifier specified on the ICS CUBE with the "​Client"​ mode.  
 +  * IP-address. Contains the IP-address of ICS CUBE with the "​Client"​ mode.  
 +  * Status. Contains the value connected / not connected.  
 +  * Description. By default, an empty field is intended for entering notes from the system Administrator. 
 +The "​Edit"​ button allows you to edit the available values ​​in the columns of the table. The “Delete” button deletes information about the connected ICS CUBE to the remote management. To go to the remote ICS CUBE GUI, double-click on its entry in the table. 
 +===== Log. ===== 
 +The “Log” tab displays a summary of all system messages of the module with the date and time. Log is divided into pages, you can navigate between pages using “Next” and “Previous” buttons, or enter the page number to proceed to it directly. 
 +Log entries are marked with color depending on its type. Normal messages are while, system statuses (Enabling/​Disabling) are green, errors are red. 
 +In the top right corner there is a search line. You can use it to look for specific log entries. Log always shows events of the current date. 
 +If necessary, you can save log in a file, using the “Export” button or delete the log data for a certain period by clicking the "​Delete logs" button.
-During the connection to the head node it will ask for login/​password of any user with administrator rights from the head ICS CUBE. By default administrator has “root” as a login and “00000” as a password. When ICS CUBE is marked as a child node, it is assigned with an unique id of node-XXXXXXXX form, where XXXXXXXX is a random combination. ​ 
-On the head node you can see what child nodes are connected: Network – Remote management - Nodes. ​ 
-If you want to open web-interface of a child node, click on its id in the “Nodes” tab on the Head node.  
remote_control50.1559810524.txt.gz · Last modified: 2019/06/06 11:42 by root