Skip to content

Server settings

In this section of the Management Console, all the configurations related to time zones, monitoring intervals for Turbo users, idle timeouts for users, global endpoint security policy, SSL, and TCP settings are included.

Time Settings

Network Time Protocol (NTP) will be the time source for all the Gateway nodes. This will ensure the same time across them. To configure NTP for HySecure gateway:

  1. Log on to the Management Console.
  2. Navigate to Settings > Global > Server > Time Settings.
  3. Select Time zone and NTP (Network Time Protocol) server settings for the HySecure Server.
  4. Click Submit. After submission, HySecure will synchronize time from the above-mentioned source. This will start the NTP service on the HySecure server and ensure that the date and time of the HySecure server are always correct by synchronizing with the NTP server.

Turbo Users Data Transfer Settings

  1. Log on to the Management Console.

  2. Navigate to Settings > Global > Server > Turbo Users Data Transfer Settings.

  3. The Current monitoring time interval is set to 30 seconds. To change it, specify the times in the Monitoring time interval(secs).

  4. Click Submit.

User Settings

  1. Log on to the Management Console.
  2. Navigate to Settings > Global > Server > User Settings.
  3. If the client machine has been inactive for a long time, automatically logging out to the user is good security practice. The inactivity period for automatic logout can be configured on the server.
  4. Set the logout time (in minutes) in the New Idle Timeout. The time must be between 1 and 3600 minutes. The default logout time is 30 minutes.
  5. Click Submit.

Realm Settings

  1. Log on to the Management Console.
  2. Navigate to Settings > Global > Server > Realm Settings.

  3. Select Enable automatic realm detection if multiple organizations or groups use a single HySecure cluster within the same organization with their own domain names, like company1.provider.com and company2.provider.com. The organizations will have their corresponding HySecure Domains (Realms), ‘company1’, and ‘company2’ configured on the gateway.

    Note

    Ensure Realm is configured before enabling. Once enabled, configure the hostname from Settings > Authentication > HySecure Domain> page. The configured hostname or URL can help access the organization’s login page directly via the browser or the HySecure client.

    1. Select Don't allow login if realm detection fails to restrict the user login if the realm detection fails.
    2. Click Submit.

Global Policy Settings

  1. Log on to the Management Console.
  2. Navigate to Settings > Global > Server > Global Policy Settings.
  3. Select the Allow or Block option from the Default Endpoint Security Policy dropdown.
  4. Select Enable device approval for each user as ON if device approval is to be given every time for the device through which the user logs in. This is useful for corporate-owned devices shared among multiple users. With this option, the device must only be approved once, and any authenticated user can use it.
  5. Select Enable mapping of the device for each user as ON if the device-user mapping is required. If this it is disabled and the device approval is also not enforced, then the device will not get listed in the device list.
  6. Click Submit.

Configuration for Health Status Check

  1. Log on to the Management Console.
  2. Navigate to Settings > Global > Server > Configuration for Health Status Check.
  3. Select Enable from the dropdown menu to Allow access for public IP addresses when accessing the HySecure Gateway.
  4. Provide a List of allowed public IP addresses for access.
  5. Click Submit.

Cloud Configurations

  1. Log on to the Management Console.
  2. Navigate to Settings > Global > Server > Cloud Configurations.
  3. Select Enable from the dropdown menu to Allow access for public IP addresses when accessing the HySecure Gateway.
  4. Provide a List of allowed public IP addresses for access.
  5. Click Submit.

External Authentication Configuration

  1. Log on to the Management Console.
  2. Navigate to Settings > Global > Server > External Authentication Configuration.
  3. Select Enable from the dropdown menu to Enable External Authentication while accessing the HySecure Gateway.
  4. Provide a URL to validate MAC ID for access.
  5. Click Submit.

Configuration for DoS Attack

  1. Log on to the Management Console.
  2. Navigate to Settings > Global > Server > Configuration for DoS Attack.
  3. The DoS detection is enabled by default and pre-filled with standard DoS protection configurations. It is not recommended to make any changes unless deemed necessary by an expert.
  4. Click Submit.

The configuration details are as follows:

Field Description
DoS attack detection (Default - Enable) Choose Enable to actively monitor incoming traffic for signs of a DoS attack.
SSL Handshake timeout (secs) (Default - 5 secs) HySecure Gateway sets a time limit for completing SSL/TLS handshake. The connection terminates if the handshake is not completed within this time.
Loop Timeout (secs) (Default - 60 secs) This critical time interval enables the detection of repeated actions or loops in the traffic. If HySecure identifies repetitive behavior, it responds after a predetermined interval.
First data byte read timeout (secs) (Default - 5 secs) A significant delay in receiving the first data byte may indicate a slow or stalled connection, indicating an ongoing DoS attack.
Max reads for the full request (Default - 500) Limit the number of read operations per incoming request to identify and address suspicious requests.
Initial max request size (KB) (Default - 8 KB) Use this to establish an initial maximum request size threshold and prevent unusually large requests.
Maximum request size allowed (Default - 5859.375 KB) For optimal protection, set a maximum request size. Any requests exceeding this limit will either be flagged or rejected.
Log enabled for success/failure (Default - False) Requests that fail or appear suspicious are meticulously logged, while successful requests are not logged to reduce unnecessary entries.
Exit on poll timeout (Default - True) In case of a polling timeout, HySecure exits operations to optimize resource usage during potential stalled connections.

Server Settings

  1. Log on to the Management Console.

  2. Navigate to Settings > Global > Server > Server Settings.

  3. Select the API protocol version and click Submit. Choose API v1 and API v2 if CAPTCHA settings are enabled from Authentication > HySecure Domain.

  4. The current SSL Port displays the port on which the HySecure server is currently running. Set a new port if required and click Submit. HySecure will restart on changing the port. Avoid using ports 80, 4001, 4002.

  5. The current SSL Timeout displays the time after the session The required SSL ciphers must be enabled to comply with FIPS 140-2. Set a new timeout if required and click Submit.

    Note

    To comply with FIPS 140-2, the required SSL ciphers must be enabled.

  6. By default, v3.0 of SSL is used to establish a connection. Disable if required and click Submit.

  7. By default, TLS 1.0 is supported. Disable if required and click Submit.

  8. By default, TLS 1.1 is supported. Disable if required and click Submit.

  9. Select New SSL Ciphers to specify the encryption and key negotiation algorithms.

  10. After selecting new ciphers, the HySecure service will restart.

    Note

    Selecting unsupported Ciphers may cause complete loss of connectivity to the Gateway for any machines or browsers that do not support them.

MAC ID validation configuration

When manual review and approval for devices are configured, Devices connecting to the HySecure gateway need to be approved for access before end users can access apps from the device. This manual approval process burdens the IT team with approving each device. For an organization that already has a service or database that records corporate device identification and can provide approval status based on device properties, it is possible to configure the HySecure gateway to communicate with the service and approve devices automatically without the manual intervention of the admin. HySecure can make an HTTP call to the external service with the MAC ID, Motherboard ID, and hostname of the incoming device, and the service can confirm the identity.

  1. Log on to the Management Console.
  2. Navigate to Settings > Global > Server > MAC ID validation configuration.
  3. Enable MAC ID validation and specify the URL. The default script for validation does nothing and approves no device. To utilize the feature, script /home/fes/pyapp/validateMACForUser.py must be customized to communicate with the device approval service.

TCP Settings

  1. Log on to the Management Console.
  2. Navigate to Settings > Global > Server > TCP Settings.
  3. Set keepalive time. The default is 120 seconds. It is the interval between the last data packet that is sent and is for each connection established. This value cannot be changed once the connection is marked for Keep-Alive.
  4. Set Keepalive interval. The default is 10 seconds. The subsequent Keep Alive probes need to be sent before considering the connection as a dead connection.
  5. Set a Slow start after idle time. The default is 1 second.
  6. Set Listen to queue count. The default is 256.
  7. Set Max SYN, backlog count.
  8. Set FIN timeout.
  9. Set Retries count after RTO.
  10. Set the Retries count before closing.

CARTA Settings

Users prefer to be notified before an idle timeout occurs. This prevents them from being logged out due to no user activity or outbound traffic from the endpoint. The HySecure Gateway has a configurable early notification timeout for both scenarios. A warning notification is displayed for user inactivity, while a dialog box appears for no outbound traffic, offering the option to extend the session or log out. 1. Log in to the management console. 2. Go to Settings > Global > Server > CARTA Settings. 3. Select Enable client heartbeat. 4. If required, Enable continuous authentication feature. 5. Click Submit. Refer to How to Configure Early Notification for Idle Timeout for more details.

TLS Settings

TLS is a widely used security protocol that enables secure communication between two applications. It provides authentication, privacy, and data integrity, making it ideal for web browsing, file transfers, VPN connections, remote desktop sessions, and VoIP.

TLS is now integrated into modern cellular transport technologies, including 5G, to secure core Radio Access Network (RAN) functions. 1. Log in to the management console. 2. Go to Settings > Global > Server > TLS Settings 3. Select the Verify Peer Certificate and Verify Peer Certificate Curl options to enable TLS. 4. Click Submit.

WAF Settings

A web application firewall (WAF) is a firewall that filters HTTP traffic to and from a website or web application. It's putfilters HTTP traffic to and from a website or web application. It's placed in front of one or more websites. It analyzes the web application logic at Layer 7, blocking potentially harmful traffic to prevent zero-day exploits, malware infections, impersonation, and other known and unknown threats and vulnerabilities.

  1. Log on to the Management Console.
  2. Navigate to Settings > Global > Server > WAF Settings.
  3. Tick the checkbox against Enable WAF Header Check and configure the below options based on requirement:
    1. WAF Header Name: The custom header key the WAF device will add except for the app connect request. By default, it is empty.
    2. WAF Header Value: The WAF device assigns value to the custom header. By default, it is empty.
  4. Disable WAF Header Check for WAN IP Addresses: Enable this option to allow login without custom header check for specific devices with provided WAN IP Addresses.
    1. Allowed Subnet: Provide a comma-separated Subnet address for whom the custom header check is to be ignored for login.
  5. Click Submit.