Server Access

Enable, disable, and configure settings associated with the different network-accessible processes that can run on your DCE server: web server, SSH daemon, SNMP daemon, and SOCKS proxy.

SNMP Server tab

Enable or disable the use of an SNMP agent at your server, define the community names and the port setting used for SNMP access to monitored devices, and identify the contact and location information for the server.

SOCKS Proxy tab

Enable or disable the server's built-in SOCKS v5 proxy server. This proxy server, which uses port 1080, allows users with proxy access to access devices that reside on the private DHCP LAN, by accessing the server from the public LAN.

SSH Server tab

Secure Shell (SSH), a program that provides strong authentication and secure communications over insecure channels. SSH is used to log into a server on the network from a command line to execute commands.

SSH is currently running Enabled by default. Allows SSH access to the Data Center Expert server. Disabling SSH will cause the SSH daemon to be terminated. No new SSH sessions will be allowed. Existing SSH sessions will not be affected.

SSH starts at boot time Enabled by default. Starts SSH whenever the server is turned on or rebooted.

Note: SSH is primarily intended for use with technical support guidance in troubleshooting device issues.

Web Server tab

HTTP and HTTPS settings

Enabling and disabling HTTP or HTTPS access, or changing the ports used, can prevent devices from providing data to your Data Center Expert server.

Enable HTTP Port Select to enable the Data Center Expert server to use HTTP, a non-secure Internet protocol, for web communication at the defined IP port. HTTP is disabled by default.

Enable HTTPS port The Data Center Expert server always uses HTTPS, a secure Internet protocol, for web communication. You can specify the IP port, 443 by default.

Note: IP ports 1 - 65535 are valid, with the exception of ports 20, 21, 22, 23, 25, 123, 161, 162, and 389. These are ports reserved for use by NetBotz appliances and by well-known protocols. Using these reserved ports creates a conflict that can result in operational difficulties.

Enable HTTP Strict Transport Security Allow the Data Center Expert server to add an HTTP Strict Transport Security (HSTS) entry to HTTP response headers. This automatically redirects HTTP connections to HTTPS.

If you select HTTP, it is recommended that you enable HSTS unless it prevents older NetBotz Appliances from posting successfully.

Learn more about HSTS

SSL Certificate

Provides information about the current SSL certificate and allows you to change the certificate.

The DCE server generates a default, self-signed SSL certificate that can be used for secure HTTPS web communication.

• Change Certificate: Access the Change Server SSL Certificate wizard to create or add a new certificate. You also can create a certificate signing request to send to a certificate signing authority.

Security Policy tab

Configure the system-wide cryptographic policy used by the Data Center Expert server.

Crypto policies are a system component that configure the core cryptographic subsystem security policies instead of using individual configurations.

Select one of the cryptographic policies the Data Center Expert server supports:

• Future: Most restrictive to withstand near-term future attacks
• Default: Secure settings for current threat models
• Legacy policy: Least restrictive for maximum compatibility
• DCE: Custom policy, less restrictive than Default and more restrictive than Legacy
• FIPS: A policy level that conforms to FIPS 140 requirements

These policies are applied consistently to running services and are kept up to date as part of Data Center Expert software updates.

When a new policy is set, the web server and SSH server on the DCE server will restart.

The DCE policy is selected by default. The DCE policy is similar to the Legacy policy except that the DCE policy does not allow any RC4 or 3DES based ciphers.

See the documentation for security policy definitions from Red Hat here.

FIPS

Federal Information Processing Standards (FIPS) govern how devices and systems use
cryptography and other information technology.

These standards were created by the National Institute of Science and Technology (NIST)
to protect government data, and ensure those working with the government comply with
certain safety standards before they have access to data.

When a system is in FIPS mode, it uses algorithms and libraries that comply with FIPS
standards, and may also use additional data protection features. FIPS mode may also
disable or restrict certain functions that don't comply with FIPS standards.

Note: In DCE, CIFS (Windows) mounts do not work when FIPS mode is enabled. MD5
authentication is required for CIFS, which is not supported in FIPS mode.

Go to Help > About Data Center Expert to see whether FIPS mode is active on the client and the server.

You can also hover over the lower right corner of the desktop client to see whether FIPS mode is active on the client.