Security - How To's

How to secure communication between WAN agents and Desktop Central Server?

Description

This document will explain you the steps involved in securing the communication between the Desktop Central server and WAN agents which are installed in various remote locations. 

Recommendation 

You will have to follow the steps mentioned below:

  1. Configure Desktop Central server in such a way, that it should be reachable via public IP/FQDN address. You can also configure the Edge Device/Router in such a way that all the request that are sent to the Public IP/FQDN address gets redirected to the Desktop Central Server.
  2. Ensure that the Desktop Central server has permission to reach/access the Active Directory if applicable.
  3. It is always recommended to use HTTPs mode for agent server communication
  4. It is recommended to secure communication for Remote Control (Tools -> Remote Control -> Settings)
  5. If you want to restrict access to web-console through public IP/FQDN address, follow the below steps:
    1. Navigate to <ManageEngine>\DesktopCentral_Server\conf folder  on the machine, where you have installed Desktop Central server
    2. Open websettings.conf file using notepad or wordpad and update the below mentioned property  ui.access.restricted.hostnames=”. You will have to specify the type of access which needs to be restricted. Refer to the example mentioned below:
      If you want to restrict UI access through Internet and allow access only via Intranet then, you will have to enter ui.access.restricted.hostnames=252.2.2.33, desktopcentral.com in websettings.conf. So, you can access Desktop Central web console only using Local host(https://localhost:8383), Local IP(https://192.XXX.XX.XX:8383) and Computer name (https://DCServerComputer:8383) Desktop Central server cannot be accessed using Public IP(https://252.2.2.33:8383) and FQDN (https://desktopcentral.com:8383).
    3. Save the file.
    4. Restart the Desktop Central service ( Start >> Run >> Services.MSC >> "ManageEngine DesktopCentral Server" service >> Right click >> Restart.
  6. You will have to ensure that the following ports are open on the firewall based on the features that you use.

    Port Type Purpose Connection
    8027 TCP To complete on-demand tasks like inventory scanning, patch scanning, remote control, remote shutdown and moving agents from one remote office to another Inbound to Server
    8022 HTTP To enable Chat and System Manager Inbound to Server
    8383 HTTPS For communication between the agent or distribution server and the Desktop Central server Inbound to Server
    8443 HTTPS For Sharing Remote Desktops Inbound to Server
    8031 HTTPS For transferring files Inbound to Server

You have now secured communication between the Desktop Central server and the WAN agents.