Connect-Tek Over IP
22
Idle Session Timeout
When a login session is left unused for some time, it is prudent to disconnect the user. This applies to web
login sessions (via cookies) and SSH logins. This feature may be disabled by setting the value to zero.
Internal Firewall Setup
As an additional layer of protection, we offer an internal firewall. When this feature is enabled, connections
will only be accepted from listed hosts. For example, the administrator can key in 10.1.0.1/240 in “Accept”
field, that is, the IP of the client’s computer between 10.1.0.1 and 10.1.0.240 allows accessing the
CTIP-01
with the right username and password. On the other hand, the user can key in 192.168.1.0/20, for example,
in “Reject” field, that is the IP of the client’s computer between 192.168.1.0 and 192.168.1.20 will be rejected
to access the
CTIP-01
. This makes the
CTIP-01
invisible to them. There are 3 ways to key in the IP
addresses:
1. Specific IP addresses: for example, 10.1.0.1, 10.1.0.5,… .
2. Net Range: for example, 10.1.0.1/240
3. Host Names: for example, yahoo.com, google.com,…
WARNING: Be careful NOT to lock yourself out! Be certain that your IP will be accepted by your
filter.
VNC Security Login
When a new VNC connection is established, the remote user must be authenticated. Standard VNC protocol
does not support “username”; it only supports passwords. As long as all users have unique passwords, we
can infer which user is connecting based on the password provided. Alternatively, you may enable a second
login screen that will require a valid username and password. This is done after the VNC connection is
established using menus and prompts generated by the firmware. We call this second method “fancy login”.
If it is enabled, fancy login will be required from Java VNC clients as well, which is unfortunate because the
one-time password scheme cannot be used, and Java VNC clients have already logged into the web server
securely. Also, VNC normally encrypts passwords and uses a challenge/hashed response system that is
more secure than the fancy login method. This isn’t a concern if the entire connection is encrypted with SSH
or SSL however.
Access Sharing Policy
There are 3 modes available:
1. Disabled– Use regular give/take method (default)
: by default we allow all users to take keyboard and
mouse control of the system (after connecting via VNC) using a single mouse click.
2. Enforce single user access policy (visible screen)
: some circumstances require more strict control of
this capability, the admin user can select this mode for the highest priority access. With a single-user access
policy, only one user may control the host computer. New connections are permitted, but unless they are the
admin user, they will be able to view the screen ONLY, but NOT control the host computer. Once the first
user disconnects (or otherwise gives up control), the second user will be able to access the system
immediately.
3.
Enforce single user access policy (blank screen contents):
some circumstances require more strict
control of this capability, the admin user can select this mode for the highest privacy; no one can see what
the admin user is doing from the VNC screen. That is, the admin user can blank the screen contents when
another user is connected but not controlling the keyboard and mouse.
With a single-user access policy, only one user may control the system. New connections are permitted, but
unless they are the admin user, they will NOT be able to see or control the host computer. Once the first user
disconnects (or otherwise gives up control), the second user will be able to access the system immediately.