Security and compliance
Manage U-Series Appliance security and compliance settings
Download and upload a crypto key
- From the left sidebar, under Security and Compliance, click Data Encryption Key.
- To download a crypto key:
- Under Download Crypto Key Options, create an encryption password and confirm it.
- Click Export and Download Crypto Key. The crypto key zip file is created and downloaded to your system.
- To upload a crypto key:
- Under Upload Crypto Key Options, enter the encryption password.
- Drag and drop the crypto key zip file into the drop area or click the button to browse to the zip file.
- Click Generate Uploaded Crypto Key.
Check FIPS compliance
Federated Information Processing Standard (FIPS) is a US and Canadian government standard that defines a minimum set of security requirements for cryptographic systems. Enabling FIPS Mode in your local computer policy enforces Windows to use FIPS compliant algorithms for encryption, hashing, and signing.
To enable FIPS Mode, take the following steps:
- From the left sidebar, under Security and Compliance, click Local Computer Policy.
- Expand the FIPS Compliance section.
- Click the toggle to enable FIPS Mode.
- Click Update FIPS Settings.
- You must reboot the U-Series Appliance for this setting to take effect.
Enable SSL authentication
- From the left sidebar, under Security and Compliance, click Client Connections.
- Under Event Service Security, toggle the SSL (Secure Socket Layer) and Client Certificate Authentication Required option to enable it.
Important
We do not recommend disabling SSL certificate authentication. SSL authentication should be disabled only in certain rare circumstances, such as during testing.
Generate and export certificates
- From the left sidebar, under Security and Compliance, click Certificate Management.
- To regenerate the SSL certificate to match the U-Series Appliance network name, under Generate SSL Certificate, click Generate Certificate.
Note
This certificate will not be trusted by the client browser.
- To export the client certificate, under Export Certificate, enter and confirm the password for the certificate, and then click Export and Download Certificate.
Set a security protocol
- From the left sidebar, under Security and Compliance, click Security Protocols.
- Under Security Protocols, select the security protocol that applies to your environment.
- Click Update Security Protocols.
Enable HTTP Strict Transport Security (HSTS)
You can apply extra security to the U-Series Appliance website by using HSTS technology.
- From the left sidebar, under Security and Compliance, click Client Connections.
- Under HSTS (HTTP Strict Transport Security) toggle the option to enable it.
Enable Host Headers Restriction State (HHRS)
You can apply extra security to the U-Series Appliance website by enabling HHRS to restrict appliance requests to specific host names. This prevents host header injection vulnerability.
- From the left sidebar, under Security and Compliance, click Client Connections.
- Under HHRS (Host Headers Restriction State) toggle the option to enable it.
- Enter a comma-separated list of appliance names.
- Click Update Host Readers.
Configure Password Safe on the U-Series Appliance
To set up Password Safe on the U-Series Appliance, you must turn on the Password Safe Web Portal feature.
Note
If you use Password Safe, all credentials are stored in the database using an AES-256 block cipher by RijndaelManaged.
Note
For more information, please see Password Safe Web Portal.
Upload SSL certificate
- From the left sidebar, under Security and Compliance, click Certificate Management.
- Under Upload Certificate, drag the certificate file into the drop box or click the box to browse and select a file to upload.
- Enter the password.
- To update the bindings in IIS, toggle the Bind to HTTPS on update toggle to the on setting.
- To enable this certificate for multiple U-Series Appliances, toggle the Use for High Availability switch to the on setting .
- Click Upload Certificate.
To generate an SSL certificate to match the U-Series Appliance name:
- From the left sidebar, under Security and Compliance, click Certificate Management.
- To regenerate the SSL certificate to match the U-Series Appliance network name, under Generate SSL Certificate, click Generate Certificate.
Note
This certificate will not be trusted by the client browser.
- To export the client certificate, under Export Certificate, enter and confirm the password for the certificate, and then click Export and Download Certificate.
Archive Password Safe session monitoring events
To make more disk space available on the U-Series Appliance, you can transfer session monitoring files from the U-Series Appliance to another server for storage. You can view these archived files in Password Safe.
There are three types of remote hosts that can be used to store session archive files:
- Remote Network share. We recommend that you use a secure network share which requires authentication.
- Network File System (NFS) share.
- Run the Configure Repository Installer on a remote server which creates an IIS site and enables Background Intelligent Transfer Service (BITS). This uses BITS to transfer files.
Session monitoring files are archived in one of two ways:
- Automatically by the U-Series Appliance. Automatic archives occur in the following cases:
- When the file reaches the configured age.
- When free space on the U-Series Appliance hard drive is below the configured threshold.
- Manually through Password Safe. Archive files are never deleted.
Note
For more information, please see the following:
Set up the repository host
Repository host requirements
- Windows 2016 or later.
- Port 443 open.
- IIS 7.5 or later.
- ASP.NET 4.5
- Setup Session Monitoring Repository tool, located at C:\Appliance\Tools\ConfigureRepository.exe.
Note
In Server Manager, install and enable BITS. Activating BITS ensures prerequisites are installed regardless of OS or IIS version installed.
Note
If you are using IIS 7.5 and the ASP.NET 4.5 role did not install automatically:
- Install the ASP.NET role.
- Run the command C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe -i.
- Log in to Server Manager and select the IIS instance.
- Double-click ISAPI and CGI Restrictions.
- Ensure that ASP.NET 4.0 is set to Allowed.
Run the repository configuration tool
The repository configuration tool creates a certificate on the host computer.
- Run the repository configuration tool.
- Click the Create Certificate button.
- Enter a password for the exported certificate.
- Click Export Certificate and choose a location for the file with the exported certificate.
- Copy the exported certificate to a location that can be accessed by the U-Series Appliance. You must import the certificate using the Diagnostics website.
Set up the U-Series Appliance
If using the installed repository, you must register the certificate on the U-Series Appliance. Optionally, you can change the archive settings, such as the number of days that should pass before the files are archived.
- From the left sidebar, under Security and Compliance, click Certificate Management.
- Upload the certificate that you created on the host, and then click Upload Certificate.
- From the left menu, under Features and Services, click Appliance Feature Configuration.
- Click the Change Configuration button at the bottom of the page.
- Click the toggle to turn on the Session Monitoring Archive feature.
- Select how you want to transmit the session monitoring files to the external data repository:
- Windows File Sharing: Enter the full path to the share and credentials to access it. Windows file sharing is the preferred method.
- BITS (Background Intelligent Transfer Service): Enter the name of the repository computer and the name of the certificate. These are the same name.
- NFS (Network File System) File Sharing: Enter the full path to the share.
- Set the rules for when to archive the session monitoring recording files and the time limit for transferring files.
- Click Save Configuration to save the settings.
Updated 14 days ago